• The environment runs NSX 4.1.0.2 or above, and was upgraded from NSX-T 3.2.x.
• NSX Alarms indicate certificates are expired or about to expire.
• The expiring certificates contain "Corfu Client" in their name.
• Error may also appear during an upgrade such as below where the ID matches to a CBM certificate:

The certificate with id ########-####-####-####-############ failed to parse with error: null. Please delete (if unused) or replace this certificate prior to upgrading. Refer to KB article https://knowledge.broadcom.com/external/article/324175/

• NSX Managers have many certificates for internal services, in NSX-T 3.2.x, Cluster Boot Manager (CBM) service certificates were incorrectly given a validity period of 825 days instead of 100 years.
  • This was corrected to 100 years in NSX-T 3.2.3 and NSX 4.1.0.
  • However, any environment previously running NSX-T 3.2.x (below 3.2.3) will have the internal CBM Corfu certificates expire after 825 regardless of upgrade to the fixed version or not.
• On NSX-T 3.2.x internal server certificates could expire, and no alarm would trigger. There was no functional impact.
  • Starting from NSX 4.1.0.2, NSX alarms now monitor validity of internal certificates and will trigger for expired or soon to expire certificates.

Note: In NSX 4.1.x, there is no functional impact when an internal certificate expires, however alarms will continue to trigger.

The CARR script can be used to resolve this issue. See Using Certificate Analyzer Resolver (CARR) Script to fix certificate related issues in NSX.

NOTE: When utilizing the CARR script in regards to CBM certificates in versions of NSX 4.1.2 and below, due to folder/file permission issues the script might not replace the certificates on the first run and subsequent tries will replace the certs. Make sure to run the script second time should you still see the expired certificates in use.