When attempting to deploy converged VCF instance
Deployment receives error "Failed to install VMCA Certificate on SDDC Manager".

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log

2026-01-08T17:19:14.148+0000 ERROR [common,695fe711e386dfb0cb1531f0aab85ebf,293e] [c.v.e.s.a.u.utils.SslCertValidator,http-nio-127.0.0.1-7100-exec-6] Cert Validation failed
java.security.cert.CertPathValidatorException: Could not validate certificate signature.
        at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
        at org.bouncycastle.jcajce.provider.PKIXCertPathValidatorSpi_8.engineValidate(Unknown Source)
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.validateCertChain(SslCertValidator.java:240)
        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.validateCertsInChain(SslCertValidator.java:144)
        at com.vmware.evo.sddc.appliance.utilities.utils.SslCertValidator.performERICertValidations(SslCertValidator.java:135)

/var/log/vmware/vcf/domainmanager/domainmanager.log

2026-01-08T17:19:13.924+0000 INFO  [vcf_dm,695fe710b2abbcc5f001a61c8dc604a6,df7d] [c.v.e.s.s.InstallSddcManagerVmcaCertificateLocalAction,dm-exec-13]  Installing SDDC Manager VCSA certificate
2026-01-08T17:19:14.151+0000 ERROR [vcf_dm,695fe710b2abbcc5f001a61c8dc604a6,df7d] [c.v.e.s.s.InstallSddcManagerVmcaCertificateLocalAction,dm-exec-13]  API failure during install certificate Code: 500, error: {"errorCode":"CERT_REPLACEMENT_FAILED","arguments":[],"message":"Cannot replace existing certificate with the input cert. Validations did not pass.\nMake sure the input cert chain is valid. The structure must be:\n\u0027server cert\u0027 followed by \u0027intermediate certs\u0027 followed by \u0027CA cert\u0027\nOR\nA self signed server cert\nAll certs in the chain must conform to X.509 standards.\nAlso make sure that the DNS name in both the CN field and the optional Subject Alternative Name extension, is a resolvable hostname","causes":[{"type":"com.vmware.evo.sddc.appliance.utilities.error.CertValidatorException","message":"Cannot replace existing certificate with the input cert. Validations did not pass.\nMake sure the input cert chain is valid. The structure must be:\n\u0027server cert\u0027 followed by \u0027intermediate certs\u0027 followed by \u0027CA cert\u0027\nOR\nA self signed server cert\nAll certs in the chain must conform to X.509 standards.\nAlso make sure that the DNS name in both the CN field and the optional Subject Alternative Name extension, is a resolvable hostname"}],"referenceToken":"7B4L7Q"}
com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiException:
        at com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiClient.handleResponse(ApiClient.java:788)
        at com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiClient.execute(ApiClient.java:708)
        at com.vmware.cloud.foundation.rest.commonsvcs.runtime.ApiClient.execute(ApiClient.java:691)
        at com.vmware.cloud.foundation.rest.commonsvcs.service.CertificateServiceApi.installCertWithHttpInfo(CertificateServiceApi.java:1063)
        at com.vmware.cloud.foundation.rest.commonsvcs.service.CertificateServiceApi.installCert(CertificateServiceApi.java:1051)
        at com.vmware.evo.sddc.sddcmanager.InstallSddcManagerVmcaCertificateLocalAction.execute(InstallSddcManagerVmcaCertificateLocalAction.java:120)
        at com.vmware.evo.sddc.sddcmanager.InstallSddcManagerVmcaCertificateLocalAction.execute(InstallSddcManagerVmcaCertificateLocalAction.java:55)
        at com.vmware.evo.sddc.orchestrator.platform.action.FsmActionState.invoke(FsmActionState.java:66)

vcf 9.0.x

VMCA certificate is configured to be used as an intermediate CA 

As a workaround revert the VMCA back to the default.

The certificate-manager CLI can be invoked with option 2 or 8 and reset the VMCA.
This will allow the converge operation to proceed.

Refer https://knowledge.broadcom.com/external/article/318946