A 3rd party KMS server is either flapping between Connected and Retrieving or never connects. 

vCenter Server

This can be caused by network issues, expired certificates, or a duplicate KMS entry using the same FQDN and an expired certificate. 

Checking network connectivity, you can use curl to validate dns/ip/port access:

root@vc7 [ ~ ]# curl -v telnet://kms.server.com:5696
* Connected to kms.server.com:5696 port 5696 (#0)

If it fails to connect you have a network issue.

Check the vpxd logs on vCenter searching for the url or IP address of the KMS server for an expired certificate:

2025-08-08T12:23:28.740Z error vpxd[06529] [Originator@6876 sub=CryptoManagerKmipWrapper opID=SWI-747fd464] The certificate is expired
2025-08-08T12:23:28.815Z error vpxd[06529] [Originator@6876 sub=CryptoManagerKmipWrapper opID=SWI-747fd464] Failed to connect to key server <FQDN or IP Here>:5696 - Err:QLC_ERR_NEED_AUTH Failed to establish the connection, authorisation needed
-->

If a curl command is unable to connect perform network troubleshooting.

If the issue is an expired certificate check to be sure there isn't a duplicate KMS entry, and remove it. If there are no duplicates use the following KB to remove expired certificates:

Expired KMS server certificate will not be automatically removed from vecs store

Using Curl to test port connectivity in VMware vCenter Server Appliance