- New CA certificate is generated

- When replacing an expired or expiring certificate with a CA cert we may see Certificate validation failed error.

- To see what that error means, we will need to do a GET API call to validate certificate: GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

- From the above result we can see the certificate is rejected because: KeyUsage does not allow key encipherment

VMware NSX

CA cert needs to have key encipherment parameter enabled under KeyUsage

- Need to enable key encipherment parameter under KeyUsage when CA certificate is created/signed

- Once the key encipherment parameter is enabled under KeyUsage, Certificate validation is now successful and the new CA certificate is successfully applied to the node