Install and configure CA to activate NSX-T certificate

1. Install and configure the certificate authority

Prerequisite: Active Directory Certificate Services needs to be installed on Windows Server 2016 or 2019 (other versions have not been tested) and the computer needs to be added to the domain. If you do not have the corresponding environment, please refer to the NSX self-signed certificate method to add a certificate.

1. Install Certificate Services

OpenServer Managerand click on the upper right cornerManagein the menuAdd roles and features, complete according to the following examplecertificate authorityandCertificate Authority Web RegistrationInstallation of both roles.

2.Configure Certificate Authority

Notice:Do not select the SHA1 hashing algorithm as it is not supported in NSX-T3.x!

Set the validity period of the CA certificate according to security requirements. It is recommended to set it to 5 years.

3. Configure NSX certificate template

OpenServer Manager, open the upper right cornerTools菜单>certificate authority

ChooseCertificate templateright clickManage

FindWeb serverCertificate template, right-click and selectCopy template

ConfigurationCompatibilityseting

conventionTab changesTemplate nameandCertificate validity period

Expandselected in the tabbasic constraintsClickEdit, checkEnable this extension,Confirm to exit after configuration is completed

Close window returncertificate authority

SelectedCertificate templateright click新建>要颁发的证书模板

In the window that opens, select the template you just created and clickSure

At this point, the installation and configuration of the certificate service and the addition of the NSX certificate template are completed.

2. Apply for a certificate

1. Generate certificate signing request file

Create .cnf file

First, create a .cnf file for each management node and management cluster VIP and use OpenSSL to generate the corresponding CSR file based on the .cnf file. Later, use the CSR file to apply for the corresponding certificate from the certificate authority and import it into NSX Manager to complete the replacement.

Example: NSX management node one (nsxmgr01.cnf)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = 填写国家
stateOrProvinceName = 填写 州或省名称
localityName = 填写地区
organizationName = 填写组织机构
commonName = NSX-Manager01
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-Manager01

Example: NSX management node two (nsxmgr02.cnf)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = 填写国家
stateOrProvinceName = 填写 州或省名称
localityName = 填写地区
organizationName = 填写组织机构
commonName = NSX-Manager02
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-Manager02

Example: NSX management node three (nsxmgr03.cnf)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = 填写国家
stateOrProvinceName = 填写 州或省名称
localityName = 填写地区
organizationName = 填写组织机构
commonName = NSX-Manager03
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-Manager03

Example: NSX management cluster VIP (nsxmgr.cnf)

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = 填写国家
stateOrProvinceName = 填写 州或省名称
localityName = 填写地区
organizationName = 填写组织机构
commonName = NSX-Manager
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-Manager

Generate .csr certificate request file and key

Upload the .cnf file to any management node, and use OpenSSL to generate .csr and .key files corresponding to the .cnf file.

Example:

openssl req -nodes -newkey rsa:2048 -keyout nsxmgr01.key -config nsxmgr01.cnf -out nsxmgr01.csr

openssl req -nodes -newkey rsa:2048 -keyout nsxmgr02.key -config nsxmgr02.cnf -out nsxmgr02.csr

openssl req -nodes -newkey rsa:2048 -keyout nsxmgr03.key -config nsxmgr03.cnf -out nsxmgr03.csr

openssl req -nodes -newkey rsa:2048 -keyout nsxmgr.key -config nsxmgr.cnf -out nsxmgr.csr

2. Apply for certificate documents

Use your browser to log in to the CA web registration page http://ip/certsrv/ 

ClickDownload a CA certificate, certificate chain, or CRL

Save the downloaded CA certificate for later use

After returning to the home page, click申请证书 >高级证书申请

Paste the contents of the .scsr file intosaved requestIn the text box, for Certificate Template, select the previously created NSX certificate template and clicksubmitApply

ChooseBase 64 encodingand clickDownload certificate

At this point you will get a .cer certificate file, repeat the same stepsrespectivelyApply and downloadcorrespondingother certificate files,NoticeRename the downloaded certificate file with the corresponding file name to distinguish it

3. Replace NSX certificate

1.Import certificate

From a browser, log in to NSX Manager with administrator privileges at https://nsx-manager-ip-address, openSystem>Settings>Certificatespage

First import the CA root certificate

Click导入>导入CA证书

Enter the name of the CA root certificate and copy the content of the directly downloaded CA certificate toCertificate contentText box or clickviewOpen and upload the CA certificate file

CloseService certificateand clickimportbutton

Import the three NSX-T management node and management cluster VIP certificates in sequence.

Click导入>导入证书

Notice!Certificate content: Fill in the complete certificate chain in the following order:

—–BEGIN CERTIFICATE—–
NSX-T Manager/Node cert
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–

Certificate Services: No

Repeat the above steps to import the three NSX-T management node and management cluster VIP certificates respectively. Please check and confirm in the certificate list when the certificate import is completed.

2. Replace (activate) certificate

Reference: in VMware NSX-T Data Center product documentationReplace certificatechapter

After the new certificate is uploaded to NSX-T Manager, you need to use the REST API to complete the replacement and activate the new certificate.

Get certificate ID:

From a browser, log in to NSX Manager with administrator privileges, inCertificatepage, in the certificate list corresponding to the certificate that needs to be activated and clickIDThe complete certificate ID can be viewed in the cell

Certificate replacement can be completed using the Curl (API) debugging tool or by logging in to the management node as the root user and running the command to send a POST request.

You can verify that the certificate is valid before replacing it by making the following API call:

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate

Replace the management node certificate:

curl -k -u <user>:<password> -X POST "https://<nsxt-fqdn>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate-id>"

Replace the management cluster VIP certificate:

curl -k -u <user>:<password> -X POST "https://<NSX_Manager>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<certificate-id>"

To replace the principal identity certificate for NSX federationPlease use the following API call for (and LOCALMANAGER certificate): POST https:///api/v1/trust-management/certificates?action=set_pi_certificate_for_federation.

For example:

POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation 
{ "cert_id": "<id>", 
"service_type": "LOCAL_MANAGER" }

To replace the NSX-T certificate in self-signed mode, please refer to the link: