• Replace expired local-manager certificates for:
  • A standalone local manager cluster without previous or current federation
  • Local manager certificate shows expired
    
    

VMware NSX-T Data Center 3.2

Previous to VMware NSX 4.1.X all new installations included a Principal Identity certificate for Federation as type LOCAL_MANAGER even though it was not needed. 

Starting in VMware NSX 4.1, the LOCAL_MANAGER Principal Identity certificate is generated at Local Manager onboarding to Global Manager.

Option 1:

1. Backup NSX-T Manager
2. Create a new self-signed certificate in the NSX-T WebUI labeling it as local manager (same as the pervious expired certificate), make sure to toggle off the Service Certificate button in NSX-T 3.2 , get the cert ID and apply it using API per the below
   • For 3.2 and later use the following API 
     POST https://<local-mgr>/api/v1/trust-management/certificates/<new-cert-id>?action=apply_certificate&service_type=LOCAL_MANAGER

Option 2: 

Use carr script to replace the certificates, please refer to Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX