Attempting to delete a certificate in NSX-T Manager fails with the error:
Certificate cannot be deleted because it is used by 1 MP node(s).
This is due to the certificate not being released after it was used before by a NSX-T controller node.
To fix this first get the details for the certificate in question.
GET https://nsx.vmwire.com/api/v1/trust-management/certificates/<cert-id>
At the bottom of the Body in the response you’ll see something like the following:
{
"service_type": "API",
"node_id": "c1862a42-f52e-af01-f090-ed6482cad394"
}'
Now, you can release the node from that certificate by first logging into one of your NSX-T controller nodes, this only works from the node directly and not from the API.
Log into a Controller node as admin, then type st e, enter the admin password and you should be at the shell.
Post this command to release the certificate from that node.
curl -k -X POST -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' -d '{"service_type":"API","node_id":"c1862a42-f52e-af01-f090-ed6482cad394"}' "http://localhost:7440/nsxapi/api/v1/trust-management/certificates/21fd7e8a-3a2e-4938-9dc7-5f3eccd791e7?action=release"
Once done, you can now delete that certificate from NSX-T.
This is the workaround that is referred to in this KB article but not discussed.
VMwire 