• When a certificate is updated on a TLS secret, it does not get pushed into NSX-T
• NSX-T still shows the old certificate validity
• The certificate gets updated on the secret without any issue 

This is a known issue affecting Tanzu Kubernetes Grid Integrated Edition and NSX-T / NCP. There is currently no resolution.

Workaround:
To work around the issue, use one of the following processes.

• Restart the NCP master process
• Delete the old secret and create a new one with the updated certificate

To find the NCP master, login to a TKGI control plane node and run /var/vcap/jobs/ncp/bin/nsxcli -c get ncp-master status as root. If you are on the node that is functioning as the NCP master, the output will look like the following.

master/########-####-####-####-########b3db:/# /var/vcap/jobs/ncp/bin/nsxcli -c get ncp-master status
This instance is the NCP master
Current NCP Master id is ########-####-####-####-########3c72
Current NCP Instance id is ########-####-####-####-########3c72
Last master update at Tue Nov  5 07:41:27 2019

Note: You may need to repeat this multiple times when there are multiple TKGI control plane nodes, until you find the NCP master.

When you have confirmed that you are on the NCP master, run the following commands to restart NCP:

monit stop ncp
monit start ncp