Scripted process to replace expired or self-signed VMware NSX Manager Certificates with VMCA-Signed Certificates
Article ID: 317900
Updated On:
Products
Issue/Introduction
There are expired certificates or self-signed certificates on the NSX Managers and NSX VIP:
- Due to expired certificates - these cannot be replaced by a management interface like the SDDC Manager. They have to replaced directly on the NSX Managers.
- Due to self-signed certificates - SDDC Manager does not trust the certificate, and therefore needs to be replaced with a VMCA signed certificate.
Environment
- VMware NSX-T Data Center
- VMware NSX
Cause
Resolution
-
NOTES:
- The script must be run on the vCenter Server (Compute Manager) registered with the VMware NSX Managers. Confirm under: System > Fabric > Compute Managers.
- The script will only replace the Manager Node Certificate and Cluster (VIP) certificate; it is not intended for use with any other certificates.
- The script is available to download from this KB article.
Script Usage:
To see the syntax and commands available, run: python nsxVmcaCert.py
- Download the script: nsxtVmcaCert.py
- Copy the script to the vCenter Server (Compute Manager) connected to your VMware NSX environment using WinSCP
NOTE: If you encounter trouble copying the script to vCenter, the instructions in Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: will help enable SCP for root on vCenter Server (Compute Manager), allowing you to copy the script to the vCenter Server (Compute Manager). - Run the script with the FQDN of each NSX manager node or the VIP, with the appropriate flags, and supply the password for the admin user.
NOTES:- The FQDN for the NSX manager can be verified with the below API call, and the same FQDN value must be passed to run the Python script for replacing the certificates: GET https://<NSX-Manager-IP>/api/v1/cluster
- The script must be executed for each VMware NSX Manager and the corresponding VIP FQDN that requires the certificate replacement.
For example: If there are three VMware NSX Manager nodes and a VIP configured, the script needs to be run four times:python nsxtVmcaCert.py -f <nsx-manager-node1-fqdn> -mpython nsxtVmcaCert.py -f <nsx-manager-node2-fqdn> -mpython nsxtVmcaCert.py -f <nsx-manager-node3-fqdn> -mpython nsxtVmcaCert.py -f <cluster-vip-fqdn-address> -v-
Command for NSX Manager, node certificate replacement. Repeat for each manager node in the cluster: # python nsxtVmcaCert.py -f <nsx_manager_fqdn> -m
- You will be prompted for the VMware NSX manager admin user's password. Enter it to proceed.
- Command for the Cluster VIP FQDN; only need to run against one manager: # python nsxtVmcaCert.py -f <nsxt_vip_fqdn> -v
- You will be prompted for the VMware NSX manager admin user's password. Enter it to proceed.
-
Additional Information
- Administration Guide to replacing certificates in VMware NSX-T 3.0
- Administration Guide to replacing certificates in VMware NSX-T 3.1
- Administration Guide to replacing certificates in VMware NSX-T 3.2
- Administration Guide to replacing certificates in VMware NSX 4.0
- Administration Guide to replacing certificates in VMware NSX 4.2
The hashes listed are only valid for the current version of nsxtVmcaCert.py.
Date hash updated: July 18,2025
MD5SUM: d3eb72e39b186c2029060bdc40497ef0
SHA256SUM: b3316bc3c3f988dafd8ddb1a746f986d10edc7b3c4ec13e1fdb90c4485a976df
If the NSX Manager is configured with a short hostname, or if the input to the script was not a case sensitive match to the manager's hostname, the script will fail with:
Failed to get the UUID associated with the name ######. Ensure the manager's hostname is set to the fully qualified domain name and the input to this command matches (including case).The affected NSX Manager's hostname can be updated to a FQDN by executing the following from the CLI: set hostname <FQDN>
Attachments
Feedback
