These certificates *appear* to be Root CA certificates that are expiring and as far as I can tell are not being renewed, but I have been working with my account team on this exact same issue and am awaiting a response from NetApp as to what the official word will be on these expiring certificates. When I hear back, I'll update this thread with their guidance. 

I had been told to follow the steps in https://kb.netapp.com/app/answers/answer_view/a_id/1032196/loc/en_US#__highlight  (delete the current certificates, then create new ones with the same name/attributes) which just seems weird.  

these certs used for web services (https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fvserver__services__web__show.html)  that enabled on the data vserver. if the data vserver dosen't have management LIFs (abd the services will not show in the command above) or you don't have a client that need to access these services directly on the vserver. you can just disable ssl for this vserver and delete the certs.

if you want to renew it from external Microsoft CA - see my answer here:

https://community.netapp.com/t5/Data-ONTAP-Discussions/ONTAP-and-Windows-CA-signed-certificate-HOW-TO/td-p/144026

alternatively, use the article provided by @Stormont and generate a self singed cert

Guidance from our NetApp SE is that they are not needed (at least for our environment, you'll want to verify in yours) and to let them expire, then delete them a few weeks later once there is no confirmed impact. 

Hello,
according to the KB, do you agree that certificates not shown with "security ssl show" are not in use and can be safely removed?

I'm somewhat blown away that NetApp hasn't addressed this clearly in a KB article. I just opened a case this morning and the techs I've spoken with so far seem to only be familiar with the SSL renewal process, which we've done. I'm on vacation all week so hopefully I'll get an answer today! Please post if someone has insight on this topic.

Interestingly enough it actually prevents you from setting up a new cluster. You get the following error on a brand new system:

Vserver Management .Error: Failed to add the Cserver record in RDB . The certificate has expired.

I had to put the system date back to 6/1/2019 to create the cluster.

They're tracking the setup/upgrade issue in 1250500. Fix versions (9.3P14, 9.5P6, 9.6 GA) should be available next week.

Question: how will people (such as myself) upgrade to 9.4 before upgrading to 9.5 without a patch for this issue in 9.4 code?