This KB explains the required changes to the self-signed principal identity(PI) certificate used by TKGi when the NSX-T Manager’s self-signed certificate is replaced with an internal CA-signed certificate.

VMware NSX
VMware Tanzu Kubernetes Grid Integrated Edition

• Changing the NSX certificate to a CA-signed certificate will not impact the existing Principal Identity (PI) used by the NCP component in Tanzu. It can continue using the same PI.
• You will need to reconfigure the NSX settings in both the BOSH tile and the TKGI tile.

Generating and Registering the VMware NSX Manager Superuser Principal Identity Certificate and Key
Configuring BOSH Director with VMware NSX for Tanzu Kubernetes Grid Integrated Edition