It's not clear (to me) where in the client's computer you're seeing this.
In general, delete that certificate from the Keychain, and add your certificate(s) into the Keychain. (Safest to add these certs via a trusted access path, too.)
Also check the client's view of the local DNS services and the associated IP addresses here, and make sure you're not getting to a different server. In this case, to the chocolate folks. (You've obfuscated the target domain, so I can't check this case.)
If you want to follow through with the "have I been hacked?" discussion, that can take a day or two (and potentially longer) of digging around to determine what's happened and how and whether there are any obvious back-doors left around, and (for most cases, with most clients) it's usually easier to preemptively wipe the client system and install from distro, roll the user's own files in from backup, change all the passwords and all the local private keys, and otherwise lock down the client system. (There are exceptions, of course. For hacked servers and for some clients, figuring out how the attack has happened can be more useful. But it's more involved.)
FWIW, if you're running your own public key chain here, then load your root cert public key into the server and into the clients, and use CSRs from the various clients to set up the key-pairs for the various servers and clients involved. (I'd guess you're not implementing this private CA approach though, based on your "certificated" phrasing; I'm going to assume that was intended to be "certificates", and that you have two seperate self-signed certs here.)