• Each NSX manager node has a unique certificate
• When a manager node is removed from the cluster, the certificate assigned to it is removed as well
• If the node is added back to the cluster, the cluster VIP certificate is assigned to the node

VMware NSX 4.2.x

This is a known issue affecting VMware NSX. There is currently no resolution.

To work around this issue, replace the certificate on the node through the NSX UI, using the node FQDN as the CN name, and proceed with the update. If a CA-signed certificate is used, ensure that the same root certificate is used to sign the CSR.

If the NSX installation is managed by SDDC Manager, do not use self-signed certificates as they will not be trusted. The steps noted in Scripted process to Replace Expired or Self-signed VMware NSX-T Manager Certificates with VMCA-Signed Certificates should be followed.