After NAPP undeployment, the K8S_PLATFORM_CA is left behind and cannot be deleted.  

This certificate eventually expired and causing certificate expiry alarms that can not be resolved.

Any NSX with NAPP 4.2 or SSP 5.0 undeployed.

The certificate was written on disk when left behind.  Removing the certificate from the trust-management system does not clean up the on-disk copy.  As a result, the system tries to repair itself after reboot and reintroduce the certificate back to the database.

NOTE: Ensure that NAPP or SSP has been fully and successfully undeployed before proceeding with the following steps.

To clean up the certificates:

1. Delete Associate Principal Identities:

As we are unable to release service/entity so we have to manually delete the corresponding Principal Identities from Manager GUI. 
Navigate to System > Settings > User Management

Then remove following identities:
napp_platform_egress
napp_platform_ingress
napp_platform_kafka

(Refer to the attached snap for guidence)

2. Delete Expired Certificates:

Once all related Principal Identities have been deleted, now as service/entity will no longer be attached to the certificate, allowing for successful deletion of all expired NAPP/SSP-related certificates.

NOTE: In the screenshot below, the 'Delete' option is grayed out because the Principal Identity (PID) has not yet been deleted. Once the PID is removed, the 'Delete' option will be enabled, allowing the certificates to be deleted.

Other Certificates related KB:

1. Renewing k8s-msg-client self-signed certificate on NSX Manager UI when NAPP is Deployed, follow below KB:
https://knowledge.broadcom.com/external/article/387518/renewing-k8smsgclient-selfsigned-certifi.html

2. Deleting k8s-msg-client certificate on NSX Manager UI when NAPP is Undeployed
https://knowledge.broadcom.com/external/article?articleNumber=393976