That's true, and when I try to delete it from there it says it used and won't remove it. 

The error message when I try to delete it is...

Unable to delete certifcate enrollment. It is used in the following policies: 
Remote Acess VPN: VF-SVPN

 There are six tunnel-group's under policy and I don't see VPN_x2025-02 under any of them, so I went to the CLI and found it under webvpn, but I still don't know what means in FMC terms.  (This is the bit I don't like about GUIs.)

@DaveNoonan26775 configured as the Access Interface certificate?

Devices > VPN > Remote Access.

Click the Access Interface tab

Select the Configure Interface Specific Identity Certificate check box and select Interface Identity Certificate from the drop-down list.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-remote-access.html#id_49114

Been there, done that.     That box lists the correct cert, which replaced VPN_x2025-02.  In the CLI config I see that one as a trustpoint but it's not under webvpn.

Thank you.  At least I feel like I'm not alone now.

@DaveNoonan26775 if you are using SAML, you might also find it under AAA servers which are indirectly referenced by a VPN Connection profile / tunnel-group.

Removal via flexconfig will be blacklisted since the feature is configured via the GUI.

We recently started using SAML but the cert in question was on the interface at one time, but replaced when it expired.

At least now I feel more confident that I haven't missed anything obvious.  I'll open a TAC case and see if they can find it.

Thanks, @Marvin Rhoads , Thanks @Rob Ingram.