This issue will be fixed on VCF 9.0. For workaround, follow below action plan:

Workaround:

To prevent the provisioning service from overwriting the custom certificate, disable the default integration registration logic by modifying a deployment property:

Note: Performing the steps below will disable the re-creation of default integration during future startups.

Possible side effect: If for some reason embedded-vRO and embedded-ABX are changed / deleted, the user should either re-create them manually or execute the below 1-7 steps but with -Ddefault.endpoint.registration.enabled=true and restart the provisioning service, which will again automatically create the integrations on the next startup. 

Prerequisite: Take non-memory snapshot of all the aria automation nodes.

1. Ensure all provisioning service nodes are up and the correct certificate is applied as per this guide:
   Broadcom KB: Correct certificate configuration for embedded vRO

2. SSH into the vRA appliance.

3. Run the following command to edit the deployment:

   kubectl -n prelude edit deployment provisioning-service-app

4. Locate the system property -Ddefault.endpoint.registration.enabled.

5. Set its value to:

   -Ddefault.endpoint.registration.enabled=false

6. Save and exit the editor.

7. Restart the deployment for the change to take effect:

   kubectl rollout restart deployment provisioning-service-app -n prelude