• The certificate can be imported into NSX directly via NSX Manager User Interface.
• The certificate shows as valid in the NSX Manager UI.
• Attempting to apply the certificate fails with the following error.

curl -k -u 'admin:[PASSWORD]' -X POST 'https://[NSX MANAGER]/api/v1/trust-management/certificates/[CERT UUID]?action=apply_certificate&service_type=API&node_id=[NODE_UUID]'
{
  "httpStatus" : "BAD_REQUEST",
  "error_code" : 2078,
  "module_name" : "internal-framework",
  "error_message" : "Some error has occurred."
}

• NSX Manager logs show the following error.

/var/log/syslog
[TIMESTAMP] [NSX MANAGER] NSX SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP2078" level="ERROR" reqId="[REQ UUID]" subcomp="manager" username="admin"] Invalid Certificate - ERROR: Certificate CN=[CN],OU=[OU],O=[O],C=[C] does not have a supported algorithm or key-size

• Problematic certificate has a key length of 4095 bits.

openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [SERIAL NO.]
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = [C], O = [O], OU = [OU], organizationIdentifier = [OI], CN = [CN]
        Validity
            Not Before: [TIMESTAMP]
            Not After : [TIMESTAMP]
        Subject: C = [C], O = [O], OU = [OU], organizationIdentifier = [OI], CN = [CN]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4095 bit) <<<<<<<

VMware NSX-T Data Center 3.2.x
VMware NSX 4.x

A key length of 4095 is supported from VMware NSX 4.1.2.4.

Workaround:
Use a supported key length. The following API call returns the supported key lengths.

curl -k -u admin "https://[NSX MANAGER]/api/v1/trust-management"
{
  "supported_algorithms" : [ {
    "name" : "RSA",
    "key_size" : [ 2048, 3072, 4096 ]
  }, {
    "name" : "EC",
    "key_size" : [ 256, 384, 521 ]
  } ]