This is a known issue, currently there is no resolution.
Workaround:
Identify if the system has any certificates using old service types by running the API to list certs
GET /api/v1/trust-management/certificates
Check for the "service_types" field.
Certificates with any of the following service_types will cause this issue
"Node API Certificate"
"MGMT_PLANE_DNE"
"Client Authentication"
"Cluster API Certificate"
If the certificate is in use, make note of the node UUID in the "used_by" field.
The certificate will first need to be released from the node and then deleted
ssh to any NSX Manager as root user and for each cert
curl -k -X POST -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' -d '{"node_id":"<NODE_UUID>"}' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<CERT_UUID>?action=release"
curl -k -X DELETE -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/CERT_UUID"Note if the certificates are used by a Principle Identity solution such as Tanzu, it may be necessary to delete the associated cluster deployment and redeploy it to free up the problem certificate.