In TKGi 1.19.2 after running the below command you see error message Error: status 400 reading NSXClient#bindPrincipalIdentities(UpdatePICertificateRequest)

tkgi rotate-certs <cluster_name> --only-nsx

followed by below error:

cluster status changed to "failed".

TKGi 1.19.2
tkgicli 1.19.0-build.148
NSX 4.2.1.0.0.24304122

NSX 4.2 implemented a check for the certificate replacement of same kind, it only allows:

replace "certificate with private key" with new "certificate with private key" 
replace "certificate without private key" with new "certificate without private key"

Depending on if the PI certificate is rotated already or not, it can be with private key or without private key, so we need to try both cases.

Manual solution

Follow manual solution outlined in Article 330615

Permanent fix

Upgrade to TKGi 1.20.0 or above, as a fix has been implemented so that command 'tkgi rotate-certs <cluster_name> --only-nsx' operates successfully and rotates based on the change in NSX 4.2 outlined in the cause section above.