• On NSX 4.1.x, Principial Identity associated with a certificate still authenticates successfully when the certificate expires
• On NSX 4.1.x, alarms may indicate the Principal Identity Certificate has expired
• On NSX 4.2.x, Principial Identity connections that worked on 4.1.x may no longer work

NSX 4.1.x

NSX 4.1 introduced Envoy for reverse-proxy. As part of these changes certificate expiry validation had an implementation issue. The impact of this issue may typically be observed post upgrade to NSX 4.2.x when the certificate expiry is correctly implemented and connections may no longer work.

This issue is resolved in VMware NSX 4.2.0 available at Broadcom Downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.