• On NSX, compute Manager in a status is down after certificate replacement. 
• The NSX UI displays an error similar to one of these examples
  CRL check for certificate for compute manager <vCenter FQDN/IP> failed because of <ID>
or
CRL check for certificate of Compute Manager <IP> failed because of CRL check failed: Couldn't fetch the CRL issued by any of the CDPs for CN=<>,OU=<>,O=<>,L=<>,ST=<>,C=<>. (Error code: 90206)
• In versions prior to NSX 4.2.0, a log message similar to this example may be seen in NSX manager cm-inventory logs (Log path: /var/log/cm-inventory/cm-inventory.log):
  

  2024-12-10T14:31:11.672Z  WARN Thread-26 CrlWebFetcher 84744 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="cm-inventory"] CRL 'http://example.com/####.crl' cache missed due to 'java.security.cert.CRLException: Couldn't read CRL from http://127.0.0.1:7440/nsxapi/api/v1/trust-management/cdps/crl?id=http%###.crl'.  Will fetch directly from the web.

• In versions NSX 4.2.0 and above the following error maybe be seen in cm-inventory.log
  

  2025-09-19T17:56:19.080Z  WARN NSX 88723 [nsx@4413 comp="nsx-manager" level="WARNING" logger="CrlWebDirectFetcher" msgID="SYSTEM" subcomp="cm-inventory" threadName="InventoryFetcher-<ID>"] Couldn't read CRL from http://example.com/root.crl

• An alarm is generated in NSX Manager indicating that the ESX Agent Manager (EAM) service on computer manager is down.

VMware NSX
VMware NSX-T Data Center

The vCenter certificate CRL (Certificate Revocation List) is not accessible by the NSX manager and so the vCenter certificate is not trusted.
As a result, the existing Compute Manager will be down or a new Compute Manager registration will not be allowed.
NSX will not be able to access the CRL endpoint if it is LDAP based, LDAP CRL endpoint if not supported.

• Update the vCenter certificate with a CRL that the NSX manager can access e.g. not LDAP based. 
  
  or
  
  
• Disable the CRL check from the NSX manager via postman client using the below NSX API call

  PUT https://<policy-mgr>/policy/api/v1/infra/security-global-config
  
  Put the following inside the body:
  
  {
    "crl_checking_enabled": "false"
  }

• Return to the NSX Manager UI and go to System > Fabric > Compute Managers. Select Edit on the linked vCenter, re-enter the credentials, and click SAVE to re-establish the connection between vCenter and NSX Manager.
• In case you cannot use postman, we can use the Curl command on the NSX manager to perform this change. We need to create a file in /tmp folder by name body.txt and the content of the file should be as below :
  {
    "crl_checking_enabled": "false"
  }
• Execute the below curl command to make the changes (Need to perform on any one of the controller only or VIP):
  

  curl -k -u 'admin:<password>' -H 'Content-Type: application/json' -X PUT https://VIP/policy/api/v1/infra/security-global-config -d @/tmp/body.txt

   

• Under system->ComputeManagers select the vCenter in down status and re-enter the credentials for the connection to be refreshed. After successful processing, ensure the connection status changes to "up" and the registration status changes to "registered".