"Certificate chain of Compute Manager <FQDN> is invalid. Please check Issuer and Subject in the chain. (Error code: 90204)"

• vCenter Server 7.x
• vCenter Server 8.x
• VMware NSX-T

The certificate chain of the custom machine SSL certificate on the vCenter may be incomplete, or there could be an incorrect or missing entry within the new certificate.

For example, the Subject Alternative Name section of the custom machine SSL certificate will need to include the FQDN, short name, and IP address of the vCenter Server.  If the IP address is not included in the Subject Alternative Name (SAN) section of the custom machine SSL certificate, NSX will not be able to validate the connection to the vCenter Server, resulting in this error message.

Another possibility is that the machine SSL certificate only uses the 'leaf' certificate and not the 'full certificate chain', which includes the intermediate CA(s) and root CA. 

This is a condition that may occur in a VMware NSX environment.

Workaround

1. Verify if the thumbprint shown by NSX matches the thumbprint provided by the vCenter, by running the following command on the vCenter Server:
   echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -fingerprint -sha256
2. The following command can be used to list the certificate chain from the vCenter:
   openssl s_client -showcerts -debug -connect <VC-IP>:443
3. If the thumbprint is a match, then the machine SSL certificate on the vCenter should be reviewed for any missing or incorrect information.  If an issue is found with the machine SSL certificate currently in use on the vCenter, then a new custom certificate will need to be generated from the Certificate Authority (CA) to replace the problematic certificate on the vCenter.

KB articles that may assist with this process:

After VMware vCenter Server certificate is replaced, compute manager connection is "Down" on NSX UI

Replacing vSphere Certificates