This section explains about automatic certificate renewal.

You can choose to customize when certificate expiry notifications are sent; see the topic Certificate Management Integration for CSR Automation section. If the certificate management profile is configured for a certificate, a renewal is attempted in the last-but-one interval. By default, NSX Advanced Load Balancer Controller generates events 30 days, seven days, and one day before expiry. In this setting, certificate renewal will be attempted seven days before expiry.

If the certificate management profile is configured for automatic certificate renewal, a renewal is attempted just prior to the penultimate notification (in the above example, that will be just prior to the seven-day notification). If the renewal succeeds, the last two notifications are not sent. If the renewal fails, the penultimate notification is sent. Thereafter, if a manual renewal succeeds prior to the last notification, it is skipped. Otherwise, the final notification will be sent (with no accompanying final attempt to renew).

When a certificate renewal occurs, a new expiration date is set and yet another notification schedule is established per the values within the ssl_certificate_expiry_warning_days array in force at the time.