Unused Expired NSX Certificates
Article ID: 406369
Updated On:
Products
VMware NSX
Issue/Introduction
- Is there any impact to NSX Manager functionality if self signed cert are showing not in use?
- Are those self signed certificate required?
- If required how to renew the self signed cert which are not in use?
Environment
NSX 4.2.x
Cause
After replacing/renewing NSX certificates, either self-signed or CA-signed, there may be lingering expired certificates still present in the NSX UI.
CARR script does not delete unused certificates, this has to be performed manually.
Expired certificates that are unused can cause:
- Unnecessary alarms, indicating that a certificate may need to be replaced
- False report of which certificates are actually valid or have expired
Resolution
On the NSX UI, System > Certificates, if the "Used By" column shows zero, the certificate is not in use and can be safely deleted.
The following example outlines the procedure for removing unused certificates (both CA and self-signed):
- Log into the NSX UI with the admin credentials and ensure there is a recent backup of the NSX Managers by selecting System > Backup & Restore (please perform one prior to moving forward if a recent backup has not occurred).
- To view the certificates while still on the System tab, select Certificates.
- Verify that the certificate is expired and has zero in the Used By column.
It is recommended to validate that the unused and expired certificates have equivalent new certificates showing as in use from a previous successful replacement. - Select the certificate and click on the Actions drop down menu to select Delete Certificates:
- Refresh the NSX UI and confirm if the unused/expired certificate is still present.
- If the expired certificate is still present within the NSX UI, please open a support case with Broadcom Support and include the data below:
- Open a case: Creating and managing Broadcom support cases.
- Gather NSX Manager logs: Collect Support Bundles.
- Upload the NSX Manager logs and any screenshots that may have been taken during the attempted deletion process: Uploading files to cases on the Broadcom Support Portal.
- If the expired certificate is still present within the NSX UI, please open a support case with Broadcom Support and include the data below:
- Note: If the number of "Used By" for the expired certificate is greater than zero this indicates that the certificate is still in use with associated items in the NSX environment
To replace self-signed expired certificates in NSX (version dependent) please review Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX. Please note that the CARR script does not replace CA-Signed certificates. For CA-signed certificates please review Replace Certificates Through NSX Manager
Feedback
Yes
No
Powered by
