During the initial Apply Changes phase when BOSH is being deployed to the infrastructure (vSphere, in this case) the process fails with certificate verification errors similar to:

IaaS default: 'Error connecting to VCF Automation API: The server's certificate is not signed with the provided CA cert', type: IaasConfigurationVerifier

IaaS default: 'Error connecting to VCF Automation API: The server's certificate is not signed with the provided CA cert', type: AvailabilityZonesVerifier

'Error connecting to VCF Automation API: The server's certificate is not signed with the provided CA cert', type: NetworksExistenceVerifier

Tanzu Hub 10.4

The full certificate chain is not provided in Tanzu Hub.
While Tanzu Hub allows you to add only the VCF Automation appliance certificate when configuring the connection, this is insufficient for downstream operations.
During the foundation vending process, specifically when deploying the BOSH Director's certificate, validation is enforced more strictly. As a result, the deployment fails during “Applying Foundation Core changes” if the full trust chain is not present.

Provide the complete certificate chain (including intermediate and root CA certificates) when configuring the VCF Automation connection in Tanzu Hub.