In VMware Cloud Foundation (VCF), hosts may show a "Disconnected" status within the Password Management section of the SDDC Manager UI. 
Attempts to rotate host passwords fail with the following error:
`SslException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed`

This issue typically occurs when there are permission conflicts or certificate validity issues associated with the MachineSSL certificates.

SDDC Manager 5.x
vCenter Server 8.x

The issue is caused by incorrect permissions on the MachineSSL certificate, which prevents the PKIX path validation from completing successfully during SSL communication between SDDC Manager and the hosts.

To resolve this issue, you must fix the certificate permissions and renew the host certificates then rotate password in sddc manager:

1. Fix Certificate Permissions:
      Upload and run the vCert utility to the vCenter
      Select Option #5 followed by Option #3 to repair permission issues on the MachineSSL certificates.

2. Renew Host Certificates:
     Log in to the vCenter Server Appliance (vCSA) GUI
     Navigate to the host view, select the affected host, and choose the option to Refresh the host certificate, then select the option to Renew the host certificate.

3. Rotate Passwords:
     Navigate to SDDC Manager > Password Management.
     Retry the Rotate Password operation for the host.
     Verify the host status now shows as "Connected."

4. Repeat these steps for each disconnected host in the inventory.

If you continue to experience SSL exceptions after repairing permissions, ensure that the system time is synchronized across all VCF components, as time skew can also cause `CertPathValidatorException` failures.