@cbankadmin,

For your first issue, could you please run: 

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

For your second issue , could you please run:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vpxd-extension --text | less

If the output is long, put it in a .txt file and attach it here.

Helllo @cbankadmin,

You're following the right article to fix the Thumbprint mismatch failures on eam (ESX Agent Manager) and rbd (VMware vSphere Auto Deploy) from VDT, however I have come across the same errors as you've mentioned. All that we had to do is start from the beginning by creating a temporary directory under root as certificate and creating a copy certificate and key from the vpxd-extension store.

https://kb.vmware.com/s/article/57379

In certain situations, you might receive the error "certificate verify failed: Hostname mismatch, certificate is not valid for 'sdkTunnel'". This error can be safely ignored if you are getting the error after the message "Successfully updated certificate for "com.vmware.vim.eam" extension" as this message confirms that Extension certificate updated successfully with vCenter Server.

https://kb.vmware.com/s/article/2112577