You can replace the self-signed or the self-signed CA apppliance certificates that have expired or about to expire through the NSX Manager or through the Certifcate APIs. Note that you can replace only those certifiactes that have a private key and are valid. You can replace a certificate by an auto-generated self-signed certificate or by a new certificate.