• You are trying to delete an expired service certificate ("lbdomain" certificate).
• The expired cert is showing '0' under the 'Used by" column.
• Running the below API to delete the certificate results in an error similar to the below:

  # curl -k -v -u delete  -X DELETE " http://localhost/api/v1/trust-management/certificates/<certificate_id>
  {
     "httpStatus" : "BAD_REQUEST",
     "error_code" : 289,
     "module_name" : "common-services",
  "error_message" : "Principal '<principal>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy. allowOverwrite=null)"
     
  }

• In the /var/log/syslog, we see errors similar to:
  

  <TIMESTAMP> 
  <HOSTNAME> NSX 10511 SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP289" level="ERROR" reqId="<reqId>" subcomp="manager" username="<username>"] Principal '<principal>' with role '<role>' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, 
  allowOverwrite=null)
  

• The certificate is created by nsx_policy user.
  GET api/v1/trust-management/certificates/<certificate_id> or desired_state_manager.json in log bundle shows

  "_create_user": "nsx_policy"

• The NSX is using WCS/vSphere with Tanzu load balancer.

• VMware NSX
• vSphere Supervisor 7
• vSphere Supervisor 8
• vSphere Supervisor 9

The service certificate needs to be renewed/released from the WCS/Tanzu with vSphere side in order to be removed from the NSX side. 

This is a condition that may occur in a VMware NSX environment.

In order to resolve the issue, please follow the steps in KB #326382 to rotate the expired certificates.

If you believe you have encountered this issue and are unable to resolve it, open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.