When running the CARR script, you may encounter the message:

"Host certificate on #<number> hosts will be replaced."

While this output includes the cluster name, it does not specify which ESXi hosts within the cluster have certificates nearing expiration. Additionally, it does not indicate how many days remain until those certificates expire.

Below is an example of the output generated by the CARR script.

+-------------------------+--------------------------------------------------------------+---------------------------------------------------------+
| HOST                    | ERROR  : vcsa.example.com::ESX_Cluster1:: Certificate on     | Host certificate on #8 hosts will be replaced.          |
|                         | #8 hosts are expiring or have expired                        |                                                         |
|                         |                                                              |                                                         |
+-------------------------+--------------------------------------------------------------+---------------------------------------------------------+

VMware NSX

The CARR script detects any certificates that are set to expire within 825 days and reports them by default. For more detailed information, refer to the carr.log file located in the script directory. This log provides insights into which TNs have expired or expiring certificates within the cluster.

For example, the message "Host certificate on #8 hosts will be replaced" indicates that eight ESXi hosts in the ESX_Cluster1 cluster have certificates set to expire within 825 days. The details of these certificates are printed in the carr.log file located in the script directory.

To verify the host certificate details, including the expiry date, run the following command from the /etc/vmware/nsx directory on the transport node:

openssl x509 -in host-cert.pem -text -noout