Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or vSheild Manager are always installed on a different machine than the associated vCenter Server system or Platform Services Controller that manages the certificates for the solution.

If you replace the Machine SSL certificate of a vCenter Server system or a Platform Services Controller in an environment with an External Platform Services Controller, a connection error results when the solution attempts to connect to the vCenter Server. The reason is that the vCenter Server and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you have replaced the certificate successfully.

VMware has fixed the issue in the latest update VCSA U1b pr U2  so  if we have already updated the machine certificate with the older version then you may face issue while connecting the NSX Manager\Vsphere Replciation ( VR ) to the lookup service with the below error.

So if we want to change the machine certificate then first make sure to upgrade the VCSA ( PSC\VC ) to the latest VMware update ( U1b or U2 )  to avoid the extra work and you can check my other blog on the steps involved to replacing the certificate where I highlighted the changes also.

We can notice the below extra output while importing the certificate with the U1b \ U2 update.

Reference :