When VC and Workload Platform Management are replaced with SHA1 certificates, then the Kubectl login from the client machine (configured with SHA1 root CA certificates) will fail with the error "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)".

[client ~ ]# kubectl vsphere login --vsphere-username <username> --server <cluster-ip>
ERRO[0000] Error occurred during HTTP request: Get "https://<cluster-ip>/wcp/loginbanner": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "<cert_CA>")
There was an error when trying to connect to the server.\nPlease check the server URL and try again.FATA[0000] Error while connecting to host <cluster-ip>: Get "https://<cluster-ip>/wcp/loginbanner": x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate authority certificate "<cert_CA>").

VMware vCenter Server 7.0.3

To resolve the issue, set the environmental variable GODEBUG=x509sha1=1 on the client machine before running the kubectl login.

Example: In Linux client
[client ~ ]# export GODEBUG=x509sha1=1