• During VMware NSX upgrade readiness checks, the process fails at the Certificate Validity Checks stage. The pre-check identifies a specific certificate that prevents the upgrade from proceeding.
• In the NSX Manager UI or upgrade logs, you see the following error message:
  The certificate with ID <UUID> failed validation: signed overrun, bytes = <Value> Please delete or replace this certificate prior to upgrading.
• The issue is typically visible under the MP (Management Plane) component type with error code 30460.
  
  See reference error screenshot:
  
• Certificate in question is a CA Signed Certificate. 
• Log evidence found in desired_state_manager.json confirms the validation failure and identified the specific certificate display_name 

• VMware NSX Version: 4.x

This issue occurs when a certificate imported into the NSX Manager has an incorrect format or structural anomaly (specifically a "signed overrun" error during the validation parse), which prevents the upgrade utility from verifying the certificate chain or validity.

For a CA signed certificate below steps should be taken into account to fix the issue.

• Generate a New Certificate: Create a new certificate with the correct format get it CA Signed and apply it to the NSX Manager. Then, delete the incorrect certificate.
• Once above is done you can re run the NSX Manager upgrade pre-checks and it should come clean.
• Once upgrade upgrade pre-checks you are good to proceed further with the upgrade.

Follow the below mentioned process:

1. Generate the CSR
2. Send the CSR to your CA to get a cert back.
3. Import the new cert
4. Apply the new cert to the appropriate service
5. Re-run the VMware NSX upgrade readiness checks/NSX manager pre-check from NSX GUI>