NSX Advanced Load Balancer enables you to customize when SSL certificate expiry notification is triggered. The system expects a minimum of three notification days. By default, the alerts are triggered 30 days, seven days, and one day before expiry.

For instance, in the below sequence:

  1. The Controller's properties are first displayed.

  2. Two notification periods (45 days and 14 days) are specified and saved into the configuration.

  3. The revised Controller properties are displayed as confirmation.

Note:

The two dates are automatically inserted and displayed in sequence.

[admin:10-10-26-52]: > configure controller properties
Updating an existing object. Currently, the object is:
+-----------------------------------------+---------+
| Field                                   | Value   |
+-----------------------------------------+---------+
| uuid                                    | global  |
| unresponsive_se_reboot                  | 300     |
| crashed_se_reboot                       | 900     |
| se_offline_del                          | 172000  |
| vs_se_create_fail                       | 1500    |
| vs_se_vnic_fail                         | 300     |
| vs_se_bootup_fail                       | 300     |
| se_vnic_cooldown                        | 120     |
| vs_se_vnic_ip_fail                      | 120     |
| fatal_error_lease_time                  | 120     |
| upgrade_lease_time                      | 360     |
| query_host_fail                         | 180     |
| vnic_op_fail_time                       | 180     |
| dns_refresh_period                      | 60      |
| se_create_timeout                       | 900     |
| max_dead_se_in_grp                      | 1       |
| dead_se_detection_timer                 | 360     |
| api_idle_timeout                        | 15      |
| allow_unauthenticated_nodes             | False   |
| cluster_ip_gratuitous_arp_period        | 60      |
| vs_key_rotate_period                    | 60      |
| secure_channel_controller_token_timeout | 60      |
| secure_channel_se_token_timeout         | 60      |
| max_seq_vnic_failures                   | 3       |
| vs_awaiting_se_timeout                  | 60      |
| vs_apic_scaleout_timeout                | 360     |
| secure_channel_cleanup_timeout          | 60      |
| attach_ip_retry_interval                | 360     |
| attach_ip_retry_limit                   | 4       |
| persistence_key_rotate_period           | 60      |
| allow_unauthenticated_apis              | False   |
| warmstart_se_reconnect_wait_time        | 300     |
| vs_se_ping_fail                         | 60      |
| se_failover_attempt_interval            | 300     |
| max_pcap_per_tenant                     | 4       |
| ssl_certificate_expiry_warning_days[1]  | 30 days |
| ssl_certificate_expiry_warning_days[2]  | 7 days  |
| ssl_certificate_expiry_warning_days[3]  | 1 days  |
| seupgrade_fabric_pool_size              | 20      |
| seupgrade_segroup_min_dead_timeout      | 360     |
+-----------------------------------------+---------+
[admin:10-10-26-52]: controllerproperties> ssl_certificate_expiry_warning_days 45
[admin:10-10-26-52]: controllerproperties> ssl_certificate_expiry_warning_days 14
[admin:10-10-26-52]: controllerproperties> save

+-----------------------------------------+---------+
| Field                                   | Value   |
+-----------------------------------------+---------+
| uuid                                    | global  |
| unresponsive_se_reboot                  | 300     |
| crashed_se_reboot                       | 900     |
| se_offline_del                          | 172000  |
| vs_se_create_fail                       | 1500    |
| vs_se_vnic_fail                         | 300     |
| vs_se_bootup_fail                       | 300     |
| se_vnic_cooldown                        | 120     |
| vs_se_vnic_ip_fail                      | 120     |
| fatal_error_lease_time                  | 120     |
| upgrade_lease_time                      | 360     |
| query_host_fail                         | 180     |
| vnic_op_fail_time                       | 180     |
| dns_refresh_period                      | 60      |
| se_create_timeout                       | 900     |
| max_dead_se_in_grp                      | 1       |
| dead_se_detection_timer                 | 360     |
| api_idle_timeout                        | 15      |
| allow_unauthenticated_nodes             | False   |
| cluster_ip_gratuitous_arp_period        | 60      |
| vs_key_rotate_period                    | 60      |
| secure_channel_controller_token_timeout | 60      |
| secure_channel_se_token_timeout         | 60      |
| max_seq_vnic_failures                   | 3       |
| vs_awaiting_se_timeout                  | 60      |
| vs_apic_scaleout_timeout                | 360     |
| secure_channel_cleanup_timeout          | 60      |
| attach_ip_retry_interval                | 360     |
| attach_ip_retry_limit                   | 4       |
| persistence_key_rotate_period           | 60      |
| allow_unauthenticated_apis              | False   |
| warmstart_se_reconnect_wait_time        | 300     |
| vs_se_ping_fail                         | 60      |
| se_failover_attempt_interval            | 300     |
| max_pcap_per_tenant                     | 4       |
| ssl_certificate_expiry_warning_days[1]  | 45 days |
| ssl_certificate_expiry_warning_days[2]  | 30 days |
| ssl_certificate_expiry_warning_days[3]  | 14 days |
| ssl_certificate_expiry_warning_days[4]  | 7 days  |
| ssl_certificate_expiry_warning_days[5]  | 1 days  |
| seupgrade_fabric_pool_size              | 20      |
| seupgrade_segroup_min_dead_timeout      | 360     |
+-----------------------------------------+---------+

To remove any of the warning_days entries, execute a sequence within the configure command. For instance,

[admin:10-10-26-52]: controllerproperties> no ssl_certificate_expiry_warning_days 14
[admin:10-10-26-52]: controllerproperties> no ssl_certificate_expiry_warning_days 1
[admin:10-10-26-52]: controllerproperties> save
Note:

Add as many warning_days entries as required. However, when removing them, NSX Advanced Load Balancer will reject any attempt to reduce the number of entries below three.