Your mp-cluster and tomcat are your front end ssl certificates on a standalone setup of nsx-t manager, they are located in the nsx-t manager certificate store in the UI. If your nsx-t is a standalone install then you can replace the certificates following this article.

If your nsx-t manager are deployed with vcf the tomcat and mp-cluster are replaced with CA certificates signed by VMCA from vCenter. The mp-cluster and tomcat certificate might still be there but aren’t being used.
Then you need to replace it using the VCF guide

So then your nsx-t manager stores in the UI will have tomcat/mp-cluster certificate, VMCA CA certificates and signed one by the organization. But it will be only be using the signed one by your organization.

If you want to see if the certificate is being used or not use the following API
I used the Postman application it will have “used by” area. If it is blank then it is not being used

Below are some pictures as examples to help with your understanding

By Kader