After NAPP undeployment, the K8S_MSG_CLIENT is left behind and cannot be deleted.  Even after involving GSS to delete the certificate, it gets added back to the Certificates UI after a while.  This certificate eventually expired and causing certificate expiry alarms that can not be resolved.

Any NSX with NAPP 4.2 undeployed.

The certificate was written on disk when left behind.  Removing the certificate from the trust-management system does not clean up the on-disk copy.  As a result, the system tries to repair itself after reboot and reintroduce the certificate back to the database.

Please contact GSS to resolve the issue.

Note : Renewing k8s-msg-client self-signed certificate on NSX Manager UI when NAPP is deployed, then we can follow below article > https://knowledge.broadcom.com/external/article/387518/renewing-k8smsgclient-selfsigned-certifi.html