The URL for downloading the backup file is dependent on the hostname. Therefore, if the hostname of the vCenter is unset, the URL will not be valid, and the backup file cannot be downloaded.

To validate if PNID of vCenter is IP, 
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

This is a known issue, and currently, there is no resolution. However, the following workaround can be applied:

Workaround:

• To list the Native Key Provider name, run the following command:

          # dcli com vmware vcenter cryptomanager kms providers list

• Export Authentication Token and File Path Using dcli Command:

         Run the following command to export the provider details:

         # dcli com vmware vcenter cryptomanager kms providers export --provider <nkp_name>

               Replace <nkp_name> with the actual Native Key Provider name.
               When prompted for the Username and Password, enter the SSO Admin user credentials (default: [email protected]).
               When asked to save credentials in the credstore, choose No (n).

               Command Output Example:

             location:
               download_token:
                 expiry: [YYYY-MM-DDTHH:MM:SS]
                 token: <alphanumeric token ID>
               url: https://localhost/cryptomanager/kms/nkp_name
             Type: location

• Download the File:

         Replace localhost with your vCenter IP in the URL, and append the token from step 1 after Bearer.

         # wget 'https://<VCIP>/cryptomanager/kms/nkp_name' --header 'Authorization: Bearer <token from step 1>'

• Rename the Downloaded File:

         The file will not have an extension. Rename it with a .p12 extension:

         # mv 'nkp_name' 'nkp_name.p12'

• Transfer the File:

         Use WinSCP or FileZilla to copy the file out of vCenter.