I’ve seen a number of cases where vCenter issues intermittent KMS connectivity alarms. This often happens in environments where the network or KMS latency is relatively high. One tip provided by VMware / Broadcom support is to remove expired KMS certificates from the vCenter trust store. This is only my impression, but as best as I can tell, these expired certificates do not prevent successful connectivity, but they can contribute to an increased processing delay which is more likely to trigger health alarms.

If you are experiencing one of the following alarms intermittently, you should consider a cleanup of expired CA certificates:

• Certificate Status
• Key Management Server Health Status Alarm
• KMS Server Certificate Status

Broadcom support referred us to the following Knowledge Base articles to view and remove certificates from the vCenter trust store:

• Verify and resolve expired vCenter server certificates
• CertificateStatusAlarm

In particular, for KMS related alarms, you want to evaluate the certificates in the KMS_ENCRYPTION trust store.