When you setup trust between vCenter and KMS, we only store the leaf certificate if the KMS server certificate is a chain, so when KMS leaf certificate is refreshed, the connection between vCenter and KMS server will have issues.

VMware vCenter Server 8.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x

We only store the leaf certificate in the chain when setup trust between vCenter and KMS.

Currently there is no resolution.

Workaround:

User can add the KMS root server certificate by using either option 1 or option 2:

1. Add KMS root server certificate by using the vCenter UI:

Login to the vCenter by in the web browser
Click Configure -> Key Providers -> ESTABLISH TRUST -> Upload KMS Certificate
Upload the relevant KMS root certificate

or

2. Add KMS root server certificate by using Powercli:

Use Powercli command Connect-VIServer to connect to vCenter.
Run the below Powercli command to upload the KMS server certificate:
$kmsMgr = Get-View -Id 'CryptoManagerKmip-CryptoManager'
$kmsCluster = Get-KmsCluster -name 'NameValueHere'
$kmsClusterId = $kmsCluster.ExtensionData.ClusterId
$certificate = '-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----'
$kmsMgr.UploadKmipServerCert($kmsClusterId, $certificate)

And replace the name and certificate with user's own key provider ID and KMS server certificate.