• ESXi is with custom certificates. 
• NSX Installation on an ESXi Host fails with an error "Failed to install software on host. Host <IP> not reachable. java.rmi.RemoteException: VI SDK invoke exception:javax.net.ssl.SSLHandshakeException: CRL check failed"
•  

VMware NSX

ESXi has a custom certificate, which was changed after configuring NSX. 

• Run the API against the NSX Manager to disable the CRL check. 
  

  GET https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config

• This returns a few flags in a JSON structure, one of which is called "crl_checking_enabled": "true".

  {
      "crl_checking_enabled": true,
      "ca_signed_only": false,
      "eku_checking_enabled": true,
      "id": "########-####-####-####-############",
      "_create_time": 1745242074177,
      "_create_user": "system",
      "_last_modified_time": 1745242074177,
      "_last_modified_user": "system",
      "_protection": "NOT_PROTECTED",
      "_revision": 0
  }

• Modify "true" to "false" and use that JSON structure as the body for the API
  

  PUT https://{{nsx manager ip}}/policy/api/v1/infra/security-global-config

• Re-authenticate with the compute manager. 
• In a scenario where the host installation state changes from failed to orphaned, 
  • Put the host in Maintenance Mode and remove it from the cluster if a Transport Node Profile is used.
  • In NSX-T Manager, perform a "Force Remove NSX" on the host.
  • SSH to the host and run the command to remove NSX VIBs.
  • Restart the ESXi host.
  • The host should now be clear about the NSX configuration.
  • Bring the host back to the cluster, triggering the NSX installation.