• You are using NSX Federation.
• You had Federation since 3.1.x with a Global manager certificate and upgraded to 3.2.x.
• You have an alert that LOCAL_MANAGER or GLOBAL_MANAGER certificates have expired.
• You followed the steps in the VMware NSX administration guide step 6. to replace the Federation PI certificates:
• You still see alerts in the UI (System - Certificates) indicating there are expired certificates and they still have 'Where Used' count greater than 0.
• You are unable to remove the expired certificate, as the system is reporting that it is still in use.
• Running the following API call, we see the certificate which is alerting in the UI (take note of the certificate UUID from the UI) is of type: "service_types" : [ "CLIENT_AUTH" ] with no GLOBAL_MANAGER or LOCAL_MANAGER entry co-located on that certificate.

• Checking the Principle Identities (PI) using the following API we see they are now using the new certificate provided in the replacement API call from VMware NSX Administration Guide step 6 and not the stale cert identified in the previous step.
  • Refer to the section at the bottom of the page titled: Principal Identity (PI) Users for NSX Federation.

• Presence of CLIENT_AUTH and LOCAL_MANAGER (or GLOBAL_MANAGER) service_types on a single certificate with "node_id": containing name: 'localmanageridentity' or name: 'globalmanageridentity'.
  •  These entries have been noted to be stale when confirmed with all of the symptoms above this note are present.
• Presence of LOCAL_MANAGER or GLOBAL_MANAGER service_type alone.
  • This is the certificate entry on the cluster/site that holds the private key for this cert and these entries have not been noted to be stale and should not be released. 

• In a Federation environment, each manager will generate its own certificate which is used for communications.
• Each manager will send this certificate to the other sites in the environment, which will then use that certificate for the Principle Identity which is used to configure the other managers.
• When we replace the expired certificate, the other managers should replace the certificate in use by the PI that is used to communicate with the manager, which renewed its certificate.
• This is an automatic process carried out when the certificate is renewed.
• Due to an issue with the automatic release process, there is a stale entry and the manager believes the certificate is still being held by one of the other managers.
• This occurs in Federation environments that where deployed in 3.1 or prior and upgraded to 3.2.x.

This is a known issue impacting VMware NSX.
The workaround this issue, use the carr script attached to KB: Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX