This article provides instructions for renewing the certificate used by NSX-T principal identity user created for Tanzu Kubernetes Grid Integrated Edition.
Symptoms:
https://<Opsman FQDN/IP>/api/v0/deployed/certificates?expires_within=3m
:{
"configurable": true,
"is_ca": false,
"property_reference": ".properties.network_selector.nsx.nsx-t-superuser-certificate",
"property_type": "rsa_cert_credentials",
"product_guid": "pivotal-container-service-942e24a1e535XXXXXXXX",
"location": "ops_manager",
"variable_path": null,
"issuer": "/CN=tkgi-nsx-t-superuser",
"valid_from": "2020-07-02T13:41:10Z",
"valid_until": "2021-07-02T13:41:10Z"
}
{
"configurable": true,
"is_ca": false,
"property_reference": ".properties.network_selector.nsx.nsx-t-superuser-certificate",
"property_type": "rsa_cert_credentials",
"product_guid": "pivotal-container-service-942e24a1e535XXXXXXXX",
"location": "ops_manager",
"variable_path": null,
"issuer": "/CN=tkgi-nsx-t-superuser",
"valid_from": "2020-07-02T13:41:10Z",
"valid_until": "2021-07-02T13:41:10Z"
}
cbfd03e6-44fc-42df-bc71-b771XXXXXXXX]
curl -X GET -u 'admin:<Password>' -k https://<nsx manager fqdn>/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.certificate_id == "<Certificate-ID>")'
You will see output similar to the following:{
"name": "tkgi-nsx-t-superuser",
"node_id": "tkgi",
"permission_group": "undefined",
"role": "enterprise_admin",
"certificate_id": "cbfd03e6-44fc-42df-bc71-b771XXXXXXXX",
"is_protected": true,
"resource_type": "PrincipalIdentity",
"id": "89819c8b-de0e-4c52-8fa4-dc3bXXXXXXXX",
"display_name": "tkgi-nsx-t-superuser@tkgi",
"tags": [],
"_create_user": "admin",
"_create_time": 1593697486134,
"_last_modified_user": "admin",
"_last_modified_time": 1593697486134,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
Note: Make a note of the id value - In this example, it is : 89819c8b-de0e-4c52-8fa4-dc3bXXXXXXXX
nsxt-pi-cert
mkdir ~/nsxt-pi-cert
cd ~/nsxt-pi-cert
create_certificate.sh.zip
file attached to this article and extract the contents (create_certificate.sh
). Copy this script to the system where you will run the commands from.R
to the NSX-T manager IP address.R
to the "admin" account.NSX_MANAGER="<NSX Manager IP>"
NSX_USER="admin"
PI_NAME="pks-nsx-t-superuser1"
NSX_SUPERUSER_CERT_FILE="pks-nsx-t-superuser1.crt"
NSX_SUPERUSER_KEY_FILE="pks-nsx-t-superuser1.key
-subj /CN=pks-nsx-t-superuser1
Make the sh
script excludablechmod +x create_certificate.sh
Run the sh
script
Note: Enter the NSX-T admin password when promoted.
./create_certificate.sh
You will see output similar to the following:Password: Generating a 2048-bit RSA private key
....+++
.........................................................................................................+++
writing the new private key to 'pks-nsx-t-superuser1.key'
-----
{
"results" : [ {
"pem_encoded" : "-----BEGIN CERTIFICATE-----\nMII.........laV\n-----END CERTIFICATE-----\n",
"used_by" : [ ],
"resource_type" : "certificate_self_signed",
"id" : "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX",
"display_name" : "pks-nsx-t-superuser1",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1601567107129,
"_last_modified_user" : "admin",
"_last_modified_time" : 1601567107129,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
} ]
Note: The new certificate will get uploaded to the NSX-T with the Issuer Name "pks-nsx-t-superuser#
". In this example, the issuer is "pks-nsx-t-superuser1
".
Note: The script will create two files "pks-nsx-t-superuser1.crt
" and "pks-nsx-t-superuser1.key
". Make a copy of these files as they will be used to update the TKGi/PKS Tile with the new NSX-T Superuser certificate in step 5.
Get the new nsx-t-superuser-certificate "id" value by running a command similar to the followingcurl -X GET -u 'admin:<Password>' -k https://
<
/api/v1/trust-management/certificates | jq -r '.results[] | select(.display_name == "<New-Cert-Displayname>")'
>NSX Manager FQDN
Note: Replace <New-Cert-Displayname>
with the PI_NAME
value used previously.
You will see output similar to the following:{
"pem_encoded": "-----BEGIN CERTIFICATE-----\nMII........laV\n-----END CERTIFICATE-----\n",
"used_by": [],
"resource_type": "certificate_self_signed",
"id": "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX",
"display_name": "pks-nsx-t-superuser1",
"tags": [],
"_create_user": "admin",
"_create_time": 1601567107129,
"_last_modified_user": "admin",
"_last_modified_time": 1601567107129,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
Note: Make a note of the nsx-t-superuser-certificate ID. In this example, the value is "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX
".
Bind the new nsx-t-superuser-certificate to the Principal ID
Create a bind.json file containing the Principal ID obtained in Step 3 and new nsx-t-superuser-certificate ID obtained in Step 7.{
"principal_identity_id": "nsx-t-superuser-certificate ID",
"certificate_id": "nsx-t-superuserNew_Certificate"
}
Using the values in this example, the file would look like the following:{
"principal_identity_id": "89819c8b-de0e-4c52-8fa4-dc3bXXXXXXXX",
"certificate_id": "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX"
}
Run a command similar to the following to bind the certificate to the principal id:curl -X POST -u 'admin:<Password>' -k https://
You will see output similar to the following:
/api/v1/trust-management/principal-identities?action=update_certificate -H "Content-Type: application/json" -H "X-Allow-Overwrite: true" -d @bind.json<NSX Manager FQDN>
{
"name" : "tkgi-nsx-t-superuser",
"node_id" : "tkgi",
"permission_group" : "undefined",
"role" : "enterprise_admin",
"certificate_id" : "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX",
"is_protected" : true,
"resource_type" : "PrincipalIdentity",
"id" : "89819c8b-de0e-4c52-8fa4-dc3bXXXXXXXX",
"display_name" : "tkgi-nsx-t-superuser@tkgi",
"tags" : [ ],
"_create_user" : "admin",
"_create_time" : 1593697486134,
"_last_modified_user" : "admin",
"_last_modified_time" : 1601591521902,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 1
curl -k -X GET -u 'admin:<Password>' -k https://<NSX Manager FQDN
>
/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.id == "nsx-t-superuser-principal-id")'
You will see output similar to the following:{
"name": "tkgi-nsx-t-superuser",
"node_id": "tkgi",
"permission_group": "undefined",
"role": "enterprise_admin",
"certificate_id": "670c81d9-d1e2-4d7f-941a-d08dXXXXXXXX", <<<<< The new
nsx-t-superuser-certificate From step 7
"is_protected": true,
"resource_type": "PrincipalIdentity",
"id": "89819c8b-de0e-4c52-8fa4-dc3bXXXXXXXX",
"display_name": "tkgi-nsx-t-superuser@tkgi",
"tags": [],
"_create_user": "admin",
"_create_time": 1593697486134,
"_last_modified_user": "admin",
"_last_modified_time": 1601591521902,
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 1
}
You can validate that the new certificate got updated on the master node by running commands similar to the following:
# bosh deployments --column=name | grep service-instance
# bosh -d <service-instance_UUID> scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/nsx_t_superuser.crt .
Ex.bosh -d service-instance_814f9e24-140d-471e-b4a7-933XXXXXXXX scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/nsx_t_superuser.crt .
# openssl x509 -in nsx_t_superuser.crt | openssl x509 -issuer -subject -startdate -enddate -noout
Note: You will see output similar to the following:issuer= /CN=pks-nsx-t-superuser1
subject= /CN=pks-nsx-t-superuser1
notBefore=Oct 2 14:54:21 2020 GMT
notAfter=Oct 2 14:54:21 2022 GMT