• You have replaced NSX certificate recently.
• Config status for host transport node show as failed in NSX UI.
• You have verified the certificate is not expired in the ESXI host transport node.
• You may find the following logs in ESXI host logs: var/run/log/nsx-syslog.log

2025-09-24T02:46:40.770Z Wa(180) nsx-proxy[2101991]: NSX 21####1 - [nsx@6876 comp="nsx-esx" subcomp="nsx-proxy" s2comp="nsx-net" tid="2102015" level="WARNING"] Certificate validation: couldn't find SHA256 digest 'ddec1##########6e6fb43d############5d4' in local trust store
2025-09-24T02:46:40.770Z Er(179) nsx-proxy[2101991]: NSX 21####1 - [nsx@6876 comp="nsx-esx" subcomp="nsx-proxy" s2comp="nsx-net" tid="2102015" level="ERROR" errorCode="NET1111"] Certificate validation failed: 18-self signed certificate

• Use following commands to validate if the uniquely identifying ID is missing in host-cert.pem file in problematic edge node.

cd etc/vmware/nsx/

openssl x509 -in host-cert.pem -text

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ##:##:98:7f:##:##:##:##
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Palo Alto, O=VMware, Inc., [email protected], CN=VMware-NSX-Host, UID=########-7639-####-9616-############ << the UUID part in Common name should be missing

VMware NSX

Host certificate validation is failing due to uniquely identifying ID is missing in Common Name in host certificate.

Workaround:

Re-generate the host certificate with the host UUID in the common name and replace it. Then "push host certificate" needs to be executed to sync the certificate with manager.

Host Certificate generation and replacement -

1.Get the host UID from below file:

/etc/vmware/nsx/host-cfg.xml

2.Copy ​​/etc/vmware/nsx/openssl-proxy.cnf to a tmp file

cp /etc/vmware/nsx/openssl-proxy.cnf /tmp/tmp-openssl-proxy.cnf

3. Append UID and following block at the end of  /tmp/tmp-openssl-proxy.cnf 

UID = ########-28e6-####-ba9f-0a00########
[ req_ext ]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

/tmp/tmp-openssl-proxy.cnf will looks like this:

root@ananyab-svc-nsxedge-ob-22224312-1-Edge:~# cat /tmp/tmp-openssl-proxy.cnf
[req]
default_bits            = 2048
distinguished_name      = req_distinguished_name
#Don't encrypt the key
encrypt_key             = no
prompt                  = no
string_mask             = nombstr
[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = California
localityName            = Palo Alto
0.organizationName      = VMware, Inc.
emailAddress            = [email protected]
commonName              = VMware-NSX-Host
UID = ########-28e6-####-ba9f-0a00########
[ req_ext ]
basicConstraints     = CA:FALSE
extendedKeyUsage     = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

4.Delete host private key and certificate file

rm -f /etc/vmware/nsx/host-privkey.pem

rm -f etc/vmware/nsx/host-cert.pem

5. Generate and replace certificate using following command:

/opt/vmware/nsx-common/python/nsx_utils/make_cert.py openssl req -days 3650 -nodes -x509 -keyout /etc/vmware/nsx/host-privkey.pem -out /etc/vmware/nsx/host-cert.pem -config /tmp/tmp-openssl-proxy.cnf -extensions req_ext

6. Finally push host certificate to MP using following command from CLI

nsxcli -c push host-certificate <Manager node IP> username admin thumbprint <Manager node thumbprint>

Connectivity with MP should restore when the certificate is pushed to MP.