• When viewing the System > Settings > Certificates page, you see that one of the API/UI certificates has a value of 0 in the Where Used column.
  Note: You can identify the API/UI certificates as they are named similar to tomcat certificate for node <NSX manager node name> or API certificate for node <NSX manager node name>.
• When you query the https://<NSX manager IP>/api/v1/trust-management/certificates/<certificate ID> API, you see that the used_by field is blank.Note: You can obtain the <certificate ID> value in the NSX UI by expanding the affected certificate on the System > Settings > Certificates page.
• The NSX manager node that should be listed in the Where Used column for the certificate is not listed in the Where Used column for any other API/UI certificate.
• If you access the NSX manager node via a web browser, you see that the expected certificate is present.

VMware NSX-T Data Center 

VMware NSX

Use the instructions noted at Replace Certificates Through API to reassociate the certificate to the appropriate NSX manager node. Since the certificate is an API/UI certificate, the API call would look similar to the following:

POST https://<NSX manager IP>/api/v1/trust-management/certificates/<certificate ID>?action=apply_certificate&service_type=API&node_id=<NSX manager node ID>

Note: You can obtain the <NSX manager node ID> value by clicking the View Details link under the appropriate NSX manager appliance on the System > Configuration > Appliances page.

Replace Certificates Through API