When performing a NSX upgrade validation pre-checks fail due to expired certificates. The error identifies certificates related to 'principal identity'.

VMware NSX 4.2.1
Aria Operations for Networks (formerly vRNI) version 6.9

Expired self-signed certificates associated with Aria Operations for Networks (vRNI) 6.9 block NSX upgrade validation.
Because  Aria Operations for Networks (vRNI) 6.9  has reached End of Support (EoS), new certificates cannot be generated or renewed within that version.
These certificates are often imported or registered with  Aria Operations for Networks (vRNI) 6.9 .

To resolve the validation failure, you must manually remove the expired certificates from the NSX Manager. Follow the steps exactly to procced with upgrade:

Step 1: Locate Expired Certificates

1.  Log in to the NSX Manager UI
2.  Navigate to System > Certificates.
3.  Identify the two expired certificates, which are often labeled with principal identity or related to Aria Log Insight/Network Monitor.

Step 2: Remove Associated Identities

1.  Before deleting the certificates, locate any Principal Identities or service users tied to these specific certificates.
2.  Remove these associated identities first to avoid database inconsistencies.

Step 3: Delete Certificates and Resume Upgrade

1.  Delete the identified expired certificates from the Certificates section.
2.  Return to the NSX Upgrade interface.
3.  Re-run the Upgrade Pre-checks to confirm the validation error is cleared.
4.  Resume the upgrade process.

Step 4: Post-Upgrade Task

Once the upgrade is successful, you can re-establish the Aria integration if required. Refer to the documentation below for further details on certificate management:

How to replace a Principal Identity Certificate in NSX