• PKS (Pivotal Kubernetes Service) Principle Identity (PI) certificates expired and still have nodes attached, which generates alarm:

Note: PKS PI Certificate, refers to a certificate used by PKS to securely authenticate and manage NSX-T resources through its API, acting as a superuser.

• In the NSX Manager --> System --> Certificates, there are expired PKS certificates which have still nodes attached:

• When clicking on 'where used' on that certificate, we can see its attached to a NSX manager node ID with 'Client Auth' service: (For the same NSX manager node ID there is already a valid certificate with 'Client Auth' service):

VMware NSX

• These expired PKS PI certificates, have 'Client Auth' Service attached to a NSX manager node, the same NSX manager node has a valid (not expired) PKS certificate with the 'Client Auth' service.
• This issue can occur when the certificate was replaced: as it could not detach the Client Auth Service from the expired certificate at the time of replacement and and is still attached to a manager node, we are unable to delete the certificate.

If you encounter this issue, run the CARR script attached to this KB: Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX

If the issue persists after running the CARR script, please open a support request with Broadcom NSX support and reference this KB.