• You have VMware NSX deployed and a Cloud Service Manager (CSM) deployed to manage the cloud infrastructure, along with Public Cloud Gateway (PCG).
• You have expiring certificate(s) used for Principal Identity (PI).
• The PI is used for CSM and PCG connectivity.

Purpose:
To provide detailed steps to replace the Principal identity certificates for both Cloud Service Manager (CSM) and Public Cloud Gateway (PCG) 

VMware NSX
VMware NSX-T Data Center

When Principal identity certificates for the Cloud Service Manager (CSM) and Public Cloud Gateway (PCG)  expire, it causes a loss in connectivity between the NSX Management plane and the PCG and between the CSM & PCG.

• Download the attached file for the updated scripts for all NSX nodes (MP, CSM, PCGs) and copy to the /tmp directory of each node you are going to update certificates on.
• Unzip the file.
• Run the command cd certs to get into the directory.
• The directory should include these six scripts:
  • csm_cert.sh
  • pcg_cert.sh
  • update_csm_cert_on_mp.py
  • update_pcg_cert_on_mp.py
  • update_csm_cert_on_pcg.sh
  • update_pcg_cert_on_csm.py

 
Steps to replace CSM certificate.
First create a new CSM certificate.

1. Log in as root on CSM and cd to the /tmp directory.
2. Use the following command to generate the new certificate for the CSM.
   
   bash csm_cert.sh
   
   
3. Copy the contents of the csm.cert created as part of running the script
   
   cat csm.cert (and copy it into a notepad)
   
   NOTE: The script csm_cert.sh takes care of running the script update_csm_cert_on_mp.py (that's essential for NSX Manager ↔ CSM connectivity.)
   
   
4. Update this new CSM cert details on PCG/s (essential for PCG ↔ CSM connectivity)
   1. Log in as root on PCG, create a new file, "csm.cert" and paste the contents copied to Notepad from a.iii.
   2. Copy the contents of csm.cert into a new file on PCGs. Command: vim csm.cert.
   3. Run the script update_csm_cert_on_pcg.sh Command: bash update_csm_cert_on_pcg.sh
   4. Repeat on all the PCGs in the environment.
      
      
      

Steps to replace PCG certificates.

1. Create a new PCG certificate (Repeat in all the PCGs of the setup)
   1. Log in as root on PCG.
   2. Run the pcg_cert.sh script on PCG to generate the new cert Command: bash pcg_cert.sh
   3. Copy the contents of the pcm.cert and thumbprint/s that gets created as part of running the script above. Command: cat pcm.cert (And copy it into a notepad).
2. Update this new PCG cert on NSX Manager (Repeat for all the PCGs in the setup) (essential for NSX Manager ↔ PCG connectivity)
   1. Log in as root on primary MP, and create a new file "pcm.cert" and paste the contents copied to notepad from 2.a.iii
   2. Copy the contents of pcm.cert into a new file on primary MP. Command: vim pcm.cert
   3. Run the script update_pcg_cert_on_mp.py Command: python3 update_pcg_cert_on_mp.py
3. Update this new PCG cert/s details on CSM (essential for CSM ↔ PCG connectivity)
   1. Log in as root on CSM, 
   2. Run the script update_pcg_cert_on_csm.py Command: python3 update_pcg_cert_on_csm.py
   3. Provide the thumbprint/s generated in step 2.a.iii as inputs when the above scripts prompt it.
4. Restart PCM service on PCG root shell → service nsx-public-cloud-manager restart  (repeat on all PCGs).
5. Restart CSM service on CSM root shell → service nsx-cloud-service-manager restart.
6. (Optional) Re-trigger the Add-manager-account workflow on CSM UI.