A certificate can only be deleted if it is not in use by any component in the system. Basically, a Policy creates a principal identity which uses the same certificate as tomcat (Reverse Proxy) on the node. So even though you changed the tomcat (Reverse Proxy) certificate, the old certificate still has a reference left to it due to the Policy.
A user can replace the node tomcat certs, but can't replace the Self Signed Client Authentication certificates as it was auto generated during the build of the first NSX-T node. When a user retrieves information about the certificate this certificate is listed as 'services_types' "Client Authentication" as shown from the below API call.
GET https://$NSXIP/api/v1/trust-management/certificates
Locate following certificate:
"used_by" : [ {
"node_id" : "{name: 'nsx_policy',node_id: 'policy_node',certificate_id: 'xxxxxxxx’}",
"service_types" : [ "Client Authentication" ]
} ],
"resource_type" : "certificate_self_signed",
"id" : "xxxxxxxxx",
"display_name" : "tomcat certificate for node ‘ ‘ ",
"tags" : [ ],
"_create_user" : "system",
"_create_time" : xxxxx,
"_last_modified_user" : "node-mgmt",
"_last_modified_time" : xxxxx5257,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 3
}, {
This issue is resolved in VMware NSX-T Data Center 3.0.