Your mp-cluster and tomcat are your front end ssl certificates on a standalone setup of nsx-t manager, they are located in the nsx-t manager certificate store in the UI. If your nsx-t is a standalone install then you can replace the certificates following this article. https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html
If your nsx-t manager are deployed with vcf the tomcat and mp-cluster are replaced with CA certificates signed by VMCA from vCenter. The mp-cluster and tomcat certificate might still be there but aren’t being used.
Then you need to replace it using the VCF guide https://docs.vmware.com/en/VMware-Cloud-Foundation/4.4/vcf-admin/GUID-2A1E7307-84EA-4345-9518-198718E6A8A6.html.
So then your nsx-t manager stores in the UI will have tomcat/mp-cluster certificate, VMCA CA certificates and signed one by the organization. But it will be only be using the signed one by your organization.
If you want to see if the certificate is being used or not use the following API
GET/api/v1/trust-management/certificates/{cert-id}
example https://10.0.0.20/api/v1/trust-management/certificates/27cf1279-b11b-4632-839c-038afce66a84
I used the Postman application it will have “used by” area. If it is blank then it is not being used
Below are some pictures as examples to help with your understanding
Ray