A known issue affecting certain NSX environments may begin surfacing as early as May 2025, with potential disruptions from June 2025 onward. This issue relates to Transport Node (TN) certificates created with a shorter-than-expected validity period.
If your environment is running NSX versions 4.1.x through 4.2.0, it’s worth reviewing the details and taking proactive steps now—before this becomes a critical situation.
⚠️ Issue Summary
In NSX 3.x, Transport Nodes (including Edges and Hosts) are deployed with NSX certificates valid for 10 years.
However, in NSX 4.1.x through 4.2.0, there is a known issue where these certificates are instead created with a validity of only 825 days. This affects:
All greenfield deployments on these versions.
Upgraded environments where additional capacity was added or Transport Nodes were redeployed.
Importantly:
Upgrading NSX does not replace these certificates.
There is no UI-based method for certificate replacement.
The certificates are not visible in the NSX UI.
🔔 NSX Will Alert You (But Only Close to Expiry)
NSX provides built-in alarms that will trigger close to the certificate expiration date:
The script can only remediate TNs that are still connected to NSX.
If a certificate expires and the TN disconnects, replacement must be performed individually on each node.
Engineering is reportedly working on improved scripting options for disconnected TNs.
💡 Recommendation
If you’re managing an environment on NSX 4.1.x to 4.2.0:
Run the CARR script in dry run mode to check for impacted TNs.
Replace any at-risk certificates before expiry—no need to wait for alarms.
Schedule certificate remediation proactively, especially if your Transport Nodes were deployed or redeployed after February 2023.
This is one of those issues where early action can prevent a major headache down the line. Being proactive now can save you from unexpected node disconnections and reactive troubleshooting later.
