The appliance management interface can be used to add or remove certificates from the system certificate store.
HCX uses self-signed certificates for the HCX Manager Appliance Management interface (port 9443) and HCX Manager UI (port 443) appliances.
When upgrading to HCX 4.4.0 or later, HCX detects and rotates self-signed certificates nearing expiry.
If the HCX Manager certificate is set to expire in less than one year, a new certificate is generated that is shared between the Appliance Management interface and HCX Service UI appliances. Additionally, the common name (CN) for the self-signed certificate is changed from the current FQDN name to hcx.local.
HCX deployments never rotate the customer imported certificates.
If your environment uses a certificate monitoring system, that system must accept the new self-signed certificate.