Replacing self signed certificates with VMware NSX-T Manager

Brief description:

As shown in the above figure, there will be three types of certificates that are about to expire and need to be replaced in this environment:

This article will introduce using NSX self-signed method to replace the expiring certificate.

一、Generate a self-signed certificate

From a browser, log in to the NSX Manager at https:// with administrator privileges.
Select System>Certificates.
Click on the CSR tab.
Click Generate CSR.
Fill in the CSR file details.

ClickGenerate。

The custom CSR will appear as a link.

Choose a CSR.
Select Actions > Self-Signed Certificate for CSR.
Enter the number of days the self-signed certificate is valid.
The default value is 825 days. Even if you change this value for a previously generated self-signed certificate, the default value will appear each time you generate a new certificate.

Click Add.

Result
The self-signed certificate will appear in the Certificates tab.

二、 Replace certificate

Log in to NSX Manager with administrator privileges, select "System > Certificate", locate the cell where the certificate ID that needs to be replaced is located, and double-click to view the complete ID.

You can verify that the certificate is valid before replacing it by making the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate

Open the "ApiPost7" tool (Download link）

Change the API to "POST" and enter the address

https://<nsx-mgr>/api/v1/trust-management/certificates？action=set_pi_certificate_for_federation

In the Header tab, change the parameter name (Key) to "Content-Type" and the parameter value (Value) to "application/json"

Select "Raw" in the Body tab and change the data type to "json"

Fill in the text below:

{ "cert_id": "<certificate-id>","service_type":"LOCAL_MANAGER"}

Select Basic auth authentication in the Authentication tab and fill in the NSX Manager administrator account password.

After completing the configuration and ensuring it is correct, click the "Send" button

Verification phase:

If the replacement is successful, the newly generated certificate will be marked in the Where Used column in the new version of the NSX Manager UI.

In earlier versions where "usage location" did not exist, the usage of the certificate could be obtained through the API.

For example:

Get all certificates:

https://<nax-mgr>/api/v1/trust-management/certificates

Get a single certificate:

https://<nax-mgr>/api/v1/trust-management/certificates/<certificate-id>

Observe that the UUID of the node "used_by"-"node_id" in the returned result will be replaced with the newly generated certificate.

After the certificate replacement is completed, the old certificate can be deleted in the NSX Manager UI if it is confirmed that it is no longer used. If the certificate is still used, deletion will report an error of being used by the MP node:

Please repeat the above steps to generate and replace other certificates.

You can log in to any management node as the root user to execute the replacement command or use the "ApiPost" tool

Replace the management node certificate:

curl -k -u admin:password -X POST "https://<nax-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate-id>"

Replace the management cluster IP certificate:

curl -k -u admin:password -X POST "https://<nax-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<certificate-id>"

To replace the principal identity certificate for NSX federation(and LOCAL_MANAGER certificate), please use the following API call:

POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation。

For example:

POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation 
{ "cert_id": "<id>", 
"service_type": "LOCAL_MANAGER" }

At this point, the certificate replacement is completed.

To replace the NSX-T certificate with CA signature, please refer to the link: