Since replacing the Workload Platform Management(or Supervisor) certificate through vCenter -> Workload Management -> Supervisor -> Configure -> Certificate, "kubectl vsphere login" fails with below error:

$ kubectl vsphere login --server=https://aa.bb.cc.dd
Error occurred during HTTP request: Get "https://aa.bb.cc.dd/wcp/loginbanner" : tls: failed to verify certificate: x509: certificate specifies an incompatible key usage
There was an error when trying to connect to the server.
Please check the server URL and try again. 

vSphere with Tanzu 8.0.x

The error message indicates that the newly signed server certificate has some 'key usage' compatibility issue.

When inspecting the new certificate, it was signed for "TLS Web Client Authentication" use instead of correct usage "TLS Web Server Authentication"

        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:supervisor.mylab.local, IP Address:aa.bb.cc.dd
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication       <<<===!!! This is wrong, it should be TLS Web Server Authentication

In this particular case, the server certificate was signed by a custom Certificate Authority using an unknown signing tool. The customer's signing organization made an error by assigning the incorrect key usage: "TLS Web Client Authentication" instead of "TLS Server Client Authentication" for server authentication.

To resolve the issue, generate and sign a new server certificate with the correct key usage: "TLS Web Server Authentication".