The appliance management interface can be used to add or remove certificates from the system certificate store.

HCX uses self-signed certificates for the Appliance Management Interface (port 9443) and HCX Service UI (port 443) appliances. When upgrading to HCX 4.4.0 or later, HCX detects and rotates self-signed certificates nearing expiry.

If the HCX Manager certificate is set to expire in less than one year, a new certificate is generated that is shared between the Appliance Management Interface and HCX Service UI appliances. Additionally, the common name (CN) for the self-signed certificate is changed from the current FQDN name to hcx.local.

HCX deployments never rotate customer imported certificates.

If your environment uses a certificate monitoring system, that system must accept the new self-signed certificate.