NSX Manager uses a self-signed certificate for it's API service. When this certificate expires, it can be renewed with either another self-signed certificate or a CA-signed one.

TO use a CA-signed one, you must first generate a CSR from the NSX UI and then get it signed by the CA and then import it and apply it to the API service. 

When you run an API call to apply the CA-signed CSR, the API call fails with the following error:

curl -k -u 'admin:<password>' -X POST 'https://<nsxmanagerfqdn>/api/v1/trust-management/certificates/<certID>?action=apply_certificate&service_type=API&node_id=<NSXManagerID>'

"error_message" : "Certificate data is missing the private key."

VMware NSX 

That specific API call requires the private key to be present in the certificate.

You can use the NSX UI to import the certificate. You must remember to click Import CA certificate and then toggle the Service certificate button because you're importing it for the NSX API service. This UI will not ask you for a private key as seen in the screenshot below:

The following documentation page shows you the complete process to import a certificate:

Import a Self-signed or CA-signed Certificate