• Message: "Failed to replace certificate for SDDC Manager" - "Remediation Message", " Reference Token" and "Cause" are blank.
• Error in operationsmanager.log: "Certificate chain validity check against current PKIXParameters failed java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set"

VCF 

The keyCertSign can only be asserted if the cert is a valid CA cert.

The Certificate Authority cert is misconfigured- it will need to be created with the keyCertSign bit set correctly.