• NSX Manager was restored from backup or an NSX Manager was replaced with a new Manager
• Certificates are bound to a node ID that does not exist and is not the ID of any of the NSX manager nodes.
• An attempt to replace the certificate via API generates an error:

POST /api/v1/trust-management/certificates/<certificate-ID>?action=apply_certificate&service_type=<Service>&node_id=<node_ID>

Applying certificate for service-type <Service> requires a valid node-id

VMware NSX-T
VMware NSX Data Center

Due to manager restoration or new node creation the IDs assigned to the respective manager might have changed but the certificates bound to these old ID.

 Please run the CARR script, see Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX.

The CARR script will release and delete unused certificates.