All clusters, nodepools, and Network Function (NF) operations require a secure trust to vCenter via a vSphere certificate thumbprint. 

If a vCenter's certificate has been updated, the vCenter certificate and thumbprint must be updated to restore functionality

Resolved in TCA 3.3. See Updating Certificate/user Credentials of vCenter on TCA and Linked CaaS Clusters

1. Re-Import the vCenter Certificate to TCA-M and TCA-CP

• Log in to the TCA Appliance Manager 
  <tca-m/tca-cp-ip>:9443.
  
  
• Click Certificate > Trusted CA Certificate > IMPORT.
  
  
• Select the trusted certificate type that you want to import and do one of the following:

• • • Browse and select the file to import.
    • Type the URL of the certificate.
    • Paste the certificate file content.
      
      
• Click Apply.

     2. Update the vCenter thumbprint in the TKG Cluster(s 

• SSH into the TCA-CP that controls the management clusters using the admin credentials.
  ssh admin@<tca-cp-ip>
  
  
• Check connectivity to retrieve the update-vc-tp script.

curl -kfsSL https://packages.broadcom.com/artifactory/tca-distro/kb/vc-updater/tca3.0/update-vc-tp.sh | bash -s -- -h

NOTE: For airgap environments, users should download the script to another location first, then copy it to the TCA-CP.

• Run the script with the vCenter IP
  
  curl -kfsSL https://packages.broadcom.com/artifactory/tca-distro/kb/vc-updater/tca3.0/update-vc-tp.sh | bash -s -- -d <vCenter-ip>
  
  NOTE: In case of different vCenter for management clusters and for Workload clusters, execute the above command by giving the both vcenter (first execute the command with the VC address responsible for MC and then the same command with WC vCenter ip)
  
  
• Navigate to Connected Endpoints, find the corresponding vCenter, and confirm the status of the vCenter has been modified.

• Click and dismiss the message to acknowledge the vCenter certificate change.
  
  
• In TCA-M UI, Validate the vCenter credentials in the virtual infrastructure and save the changes.