1. Log into the NSX-T UI
System > Certificates
2. Collect the certificate IDs and FQDNs for NSX-T Managers and the VIP.
(You need to collect the ID - click on it to copy)
i.e
vip-nsx-mgmt.vrack.vsphere.local 519ce43c-ae3b-4e62-9c2e-f5745b36280b nsx-mgmt-1.vrack.vsphere.local 513ab6e9-484a-4c23-a806-8d5577f9108c
3.Once you have collected all of the information you can apply the certificates to ALL of the NSX-T Managers and the VIP. SSH with root into one of the NSX-T Managers or SDDC Manager and run the below commands.
NSX-T VIP
curl -k -u admin -X POST 'https://vip-nsx-mgmt.vrack.vsphere.local/api/v1/cluster/api-certificate? action=set_cluster_certificate&certificate_id=519ce43c-ae3b-4e62-9c2e-f5745b36280b'
NSX-T Managers (Change the FQDN and certificate ID for each manager)
curl -k -u admin -X POST 'https://nsx-mgmt01.vrack.vsphere.local/api/v1/node/services/http?action=apply_certificate&certificate_id=513ab6e9-484a-4c23-a806-8d5577f9108c'
4.Now refresh the SDDC UI and the certificates should show valid and the CSR creation will succeed.
If the vCenter CA signed certificates are expired. Run the script in KB 89921 to generate new vCenter signed certificates for the NSX-T Managers and VIP.
https://kb.vmware.com/s/article/89921