Scripted process to Replace Expired or Self-signed VMware NSX-T Manager Certificates with VMCA-Signed Certificates
search cancel

Scripted process to Replace Expired or Self-signed VMware NSX-T Manager Certificates with VMCA-Signed Certificates

book

Article ID: 317900

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX

Issue/Introduction

The process of generating a Certificate Signing Request (CSR), creating a certificate, importing and deploying the certificate via the VMware Certificate Authority (VMCA) involves a lot of manual work, with making REST API calls.
This KB helps to automate the entire process with a script.

Symptoms:
We have expired certificates or self-signed certificates on the NSX-T Managers and NSX-T VIP.
  • Due to the expired certificates - these cannot be replaced by a management interface like the SDDC Manager - they have to replaced directly on the NSX-T Managers.
  • Due to self-signed certificates - SDDC Manager does not trust the certificate, and therefore needs to be replaced with a VMCA signed certificate.

Environment

VMware NSX-T 3.x 
VMware NSX 4.x

Cause

Expired or Self-Signed certificates on the NSX-T Manager nodes lead to alarms and may impact workflow, such as those with the VCF SDDC Manager.

Resolution

NOTE: The script needs to be run on the vCenter (Compute Manager) registered to the VMware NSX Managers, confirm under: System, Fabric, Compute Managers.

The script will only replace the Manager Node Certificate and Cluster (VIP) certificate, it is not intended to be used for any other certificates.

The script is available to download from this KB.



Script Usage:

To see the syntax and commands available, run python nsxVmcaCert.py


  1. Download the script nsxtVmcaCert.py, you will need to rename the file as you see it listed in this KB.  Then copy it to the vCenter connected to the VMware NSX environment. If you encounter trouble copying the script to vCenter, KB 326317 will help enable SCP for root on vCenter, allowing you to copy the script to vCenter.
  2. Run the script with the FQDN of the manager node or the VIP, with the appropriate flags, and supply the password for the admin user:
    1. Command for NSX-T Manager, node certificate replacement, repeat for each manager node in the cluster:
      # python nsxtVmcaCert.py -f <nsxt_manager_fqdn> -m
    2. You will be prompted for the VMware NSX manager admin user's password, enter to proceed.



    3. Command for the Cluster VIP, only need to run against one manager:
      # python nsxtVmcaCert.py -f <nsxt_vip_fqdn> -v


The script needs to be re-run for each VMware NSX Manager and VIP that we need to replace the certificates on.

For example:
If we have 3 VMware NSX Manager nodes VIP is configured, we need to run the script 4 times:

python nsxtVmcaCert.py -f <nsx-manager-node1-fqdn> -m

python nsxtVmcaCert.py -f <nsx-manager-node2-fqdn> -m

python nsxtVmcaCert.py -f <nsx-manager-node3-fqdn> -m

python nsxtVmcaCert.py -f <cluster-vip-fqdn-address> -v

NOTE: The FQDN for the NSX manager can be verified with the below API call, and the same FQDN value must be passed to run the python script for replacing the certificates:
GET https://<NSX-Manager-IP>/api/v1/cluster

Additional Information

Note: Please update any 2nd Party (such as vROPS, vRLI etc) and 3rd Party products that have integrations with the NSX Managers to update and accept the new certificates.

 

HASH Info:

The hashes listed are only valid for the current files. 
Date hash added 12/11/2024
If the file is updated a new hash will need to be added

The current version is nsxtVmcaCert.py
MD5SUM: efb626dc0bc58c66fc6d331a9e071b2c
SHA256SUM: 02cf092d4cd370ea5a2d0b5af0cec922299c6e78a742da1ea0386c7344470195

Attachments

nsxtVmcaCert.py get_app
Powered by Wolken Software