• The environment runs NSX 4.1.0.2 or above, and was upgraded from NSX-T 3.2.x.
• NSX Alarms indicate certificates are expired or about to expire.
• The expiring certificates contain "Corfu Client" in their name.

• NSX Managers have many certificates for internal services.
  In NSX-T 3.2.x, Cluster Boot Manager (CBM) service certificates were incorrectly given a validity period of 825 days instead of 100 years.
  This was corrected to 100 years in NSX-T 3.2.3 and NSX 4.1.0.
  However, any environment previously running NSX-T 3.2.x (below 3.2.3) will have the internal CBM Corfu certificates expire after 825 regardless of upgrade to the fixed version or not.
• On NSX-T 3.2.x internal server certificates could expire, and no alarm would trigger. There was no functional impact.
  Starting from NSX 4.1.0.2, NSX alarms now monitor validity of internal certificates and will trigger for expired or soon to expire certificates.

Note: In NSX 4.1.x, there is no functional impact when an internal certificate expires, however alarms will continue to trigger.

The CARR script can be used to resolve this issue. See Using Certificate Analyzer Resolver (CARR) Script to fix certificate related issues in NSX.

The CARR script is now the preferred method to resolve this issue and replaces an older script called replace_certs_v1.7.py.

Related Articles:

K8S_MSG_CLIENT certificates can not be deleted after NAPP undeployment, causing expired certificate alarm