SingleNode must be completely restored from the backup.
For HA-Pair you can failover to a secondary box that is not compromised. However, make sure that the CVE responder is installed.
set system user nsroot –password [New Password]
set authentication ldapAction [ActionName] –ldapBindDnPassword [New Password]
set authentication ldapAction [ActionName] -PasswdChange ENABLED
add ssl certKey [CertName] -cert [CertFile] -key [KeyFile] -password [New Passphrase]
bind ssl vserver [VServerName] -certkeyName [CertName]