NSX generates alarms when a certificate is nearing its expiry or if a certificate has already expired. Service certificates generate an alarm only if expiring or expired and in use by a component. Non-service certificates always generate an alarm, whether in use or not.
NSX generates alarms under following events. The defaults are listed below, but are configurable.
- Medium severity alarm starting 30 day before certificate expiry.
- High severity alarm starting 7 days prior to expiry.
- Critical severity alarm after certificate expires.
Certificate Expiry alarms contains details on certificate ID, severity, node, first/last report time, and recommended action.
As a remedial, you must replace the expiring External Platform certificate with a new valid certificate and delete expiring certificate.