When replacing a vSphere Machine SSL certificate with a Custom Certificate Authority Signed Certificate, the vpxd-svcs service fails to start. 

The failure to start vpxd-svcs during certificate replacement is due to SSL certificate verification failure. The mismatch between the PNID and the hostname prevents successful service initialization. 

You can find detailed logs related to this issue in the following path:

/var/log/vmware/vmon/vmon.log

YYYY-MM-DDTHH:MM:SS Wa(03) host-###### <vpxd-svcs> Service pre-start command's stderr: self._sslobj.do_handshake()
YYYY-MM-DDTHH:MM:SS Wa(03)+ host-###### ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '###.###.###.###'. (_ssl.c:997)

To resolve this issue, follow these steps:

1. Verify Hostname and PNID : Ensure that the hostname configured in vCenter Server matches the PNID.

• From an SSH session on the vCenter, you can check the PNID using the following command :

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

• From an SSH session on the vCenter, verify the FQDN with the following command:
  

  hostname -f

     2. To change the PNID (Primary Network Identifier) on vCenter Server using the vSphere Appliance Management Interface (VAMI), follow these steps:

• Access VAMI: Open a web browser and navigate to the VAMI URL for your vCenter Server. The default URL is https://<vcenter_fqdn_or_ip>:5480
• Select Networking>EDIT

• Select Network Adapter, Click Next,

• Edit settings, Enter the PNID returned by the previous command (/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost), Click Next

• SSO credential, enter administrator@your_domain_SSO and password, Click Next

• Ready to complete, Acknowledge vCenter backup, Click Finish