If one will try to connect with services hosted on "Tanzu Platform for Cloud Foundry" foundation through openssl along with "VERIFY_X509_STRICT" enabled then he will see the below error:-

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: CA cert does not include key usage extension

Example:-

One has tried to connect with Rabbitmq service instance hosted on TPCF foundation through openssl along with "x509_strict" flag.

openssl s_client -connect q-s0.rabbitmq-server.services.service-instance-XXXXXXXXXX.bosh:5671 -x509_strict

CONNECTED(00000003)
depth=1 CN = opsmgr-services-tls-ca, O = Pivotal
verify error:num=92:CA cert does not include key usage extension
verify return:1
depth=1 CN = opsmgr-services-tls-ca, O = Pivotal
verify return:1
depth=0 CN = service-instance_XXXXXXXX
verify return:1
---
Certificate chain
 0 s:CN = service-instance_XXXXXXXXX
   i:CN = opsmgr-services-tls-ca, O = Pivotal
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 23 13:58:12 2024 GMT; NotAfter: Oct 23 13:58:12 2025 GMT
 1 s:CN = opsmgr-services-tls-ca, O = Pivotal
   i:CN = opsmgr-services-tls-ca, O = Pivotal
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  8 14:31:17 2020 GMT; NotAfter: Oct  7 14:31:17 2025 GMT
---
Verify return code: 92 (CA cert does not include key usage extension)

Operations Manager 3.x

To resolve this issue one has to replace internal service TLS_CA with custom CA.

Follow below link to use custom CA.

https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-rabbitmq-on-cloud-foundry/10-0/tanzu-rabbitmq-cloud-foundry/prepare-tls.html#:~:text=CredHub%20client%20secret.-,Set%20a%20Custom%20CA%20Certificate,-Do%20this%20procedure

Note: After replacing the internal TLS_CA, custom CA will sign all internal certs as well.