Upgrade pre-check on NSX manager failed with certificate expiry error of Local Manager on NSX manager

4.2.0.1

1. Procedure to replace local-manager self-signed certificates:
   Backup NSX manager configs before proceeding with certificate replacement tasks
   System > Lifecycle Management > Backup and Restore > Start Backup
2. Log in to any NSX Manager on and generate a new CSR.
   Click System > Settings > Certificates > CSRs > Generate CSR
   1. Enter the Common Name as local-manager.
   2. Enter the Name as LocalManager.
   3. rest of the details can be copied from previous old certificate
   4. Click Save.
3. Create a Self-Signed Certificate using the Generated CSR.
   1. Click the New CSR check box > Generate CSR > Self-Sign Certificate for CSR.
   2. Ensure that the Service Certificate is set to No and click Save.
4. Return to the Certificates tab, locate the New Certificate and Copy Certificate ID.
5. Replace the Principal Identity certificate for the Local Manager by using "Postman
   1. In the Authorization tab, select Type > Basic Auth > Enter NSX-T Manager login details.
   2. In the Headers tab, change to "application/json."
   3. In the Body tab, select the POST API command.
   4. Select Raw and then select JSON.
   5. Enter URL https://<NSX Manager VIP IP>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
   6. In the body section, enter the below in two lines, Click Send and ensure that you see the result 200 OK.

{ "cert_id": "<certificate ID of newly generated Signed certificate from step 3> ",

"service_type": "LOCAL_MANAGER" }

In NSX GUI check the new certificate is applied to Local manager and the "where used" column for old certificate (expired) becomes 0.

Once confirmed that the expired certificate is no longer used, delete the unused/expired certificate 

Go to System > Settings > Certificates and select the required certificate --> Click Delete > Delete.