Symptoms:
In the vSphere Client on the vCenter node Configure, Key Providers, Key Provider Cluster. Under the Key Provider Cluster a Key Management Server Connection Status shows "No Trusted Connection". 

Note: The connection status does not update when doing a key management server failover

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

The untrusted connection is due to vCenter not trusting the root CA that signed the Key Management Server Certificate.

To resolve this issue the root CA that signed the Key Management Server Certificate must be added to the vCenter Certificate Management Trusted Roots Store.

1. Retrieve the Root CA certificate with # openssl s_client -connect <kms_server>:5696 -showcerts

Note: When the openssl connect command completes, the full contents of the SSL certificate are displayed

3. In the vSphere Client, Administration, Certificate Management, Trusted Roots Certificate, Add, Browse to the .cer file.

4. Verify that the KMS Server Connection Status shows "Connected" and no longer shows "No Trusted Connection"