This article provides instructions for renewing the certificate used by NSX-T principal identity user created for Tanzu Kubernetes Grid Integrated Edition. 

Symptoms:

• You see information similar to the following when navigating to https://<Opsman FQDN/IP>/api/v0/deployed/certificates?expires_within=3m :

• VMware Tanzu Kubenetes Grid Integrated Edition
• VMware NSX-T Data Center

Notes:

• The certificate is located on the TKGI TILE > Networking > NSX > NSX Manager Super User Principal Identity Certificate.
• You need two things to renew the certificate:
  • The certificate_id of the expired superuser certificate
  • The ID of the user (Principal ID) whose certificate needs to be replaced 

Instructions:

1. Get the certificate ID:
   
   Note: Make a note of the "Issuer",  "valid_from", and "valid_until" values,
   
   Expired data
   
   {
    "configurable": true,
    "is_ca": false,
    "property_reference": ".properties.network_selector.nsx.########-certificate",
    "property_type": "rsa_cert_credentials",
    "product_guid": "pivotal-container-service-942e24a1e535########",
    "location": "ops_manager",
    "variable_path": null,
    "issuer": "/CN=########",
    "valid_from": "2020-07-02T13:41:10Z",
    "valid_until": "2021-07-02T13:41:10Z"
}


2. Login to the NSX-T Manager UI and navigate to System > Certificate  then find the certificate ID by the issuer [In this case it is "tkgi-nsx-t-superuser"] and confirm the start and expiration date
   
   
   
   Note: Make a note of the Certificate_ID you obtained from the previous step as it will be used in the next step. [Ex: cbfd03e6-44fc-42df-bc71-b771########]
   
   
3. Get The ID of the user (Principal ID) whose certificate needs to be replaced by issuing a command similar to the following:
   
   curl -X GET -u 'admin:<Password>' -k https://<nsx manager fqdn>/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.certificate_id == "<Certificate-ID>")'

You will see output similar to the following:
   
   {
  "name": "########",
  "node_id": "####",
  "permission_group": "undefined",
  "role": "enterprise_admin",
  "certificate_id": "cbfd03e6-44fc-42df-bc71-b771########",
  "is_protected": true,
  "resource_type": "PrincipalIdentity",
  "id": "89819c8b-de0e-4c52-8fa4-dc3b########",
  "display_name": "########",
  "tags": [],
  "_create_user": "admin",
  "_create_time": 1593697486134,
  "_last_modified_user": "admin",
  "_last_modified_time": 1593697486134,
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 0
}

Note: Make a note of the id value - In this example, it is : 89819c8b-de0e-4c52-8fa4-dc3b########
   
   
4. Create the new nsx-t-superuser-certificate for the same (old) User Principal ID
   
   Note: Run the create_certificate.sh script  that will create the certificate and private key and upload the certificate to NSX Manager
   Note: After running this script, you will have the certificate file and private key in the local path and the certificate will be posted to the NSX Manager.
   
   
   1. Create a directory called nsxt-pi-cert

mkdir ~/nsxt-pi-cert


   2. Navigate to the directory
      
cd ~/nsxt-pi-cert


   3. Download the create_certificate.sh.zip file attached to this article and extract the contents (create_certificate.sh). Copy this script to the system where you will run the commands from.
   4. Open the script in a text editor and make the following changes:
      1. Set NSX_MANAGER to the NSX-T manager IP address.
      2. Set NSX_USER to the "admin" account.
      3. Set PI_NAME to "########_#" where _# is the next number higher than what is in the certificate Issuer.
      4. Set NSX_SUPERUSER_CERT_FILE to the name of the new certificate file.
      5. Set NSX_SUPERUSER_KEY_FILE to the name of the new private key file.
      6. Update the "CN=" reference, updating the value to match thew update PI_NAME value.
         
         The following is an example of the changed sections of the file:
         

         NSX_MANAGER="<NSX Manager IP>"
NSX_USER="admin"
PI_NAME="########"
NSX_SUPERUSER_CERT_FILE="########.crt"
NSX_SUPERUSER_KEY_FILE="########.key
-subj /CN=########

   5. Make the sh script excludable
      
      chmod +x create_certificate.sh

   6. Run the sh script
      
./create_certificate.sh

Note: Enter the NSX-T admin password when promoted.
      
      You will see output similar to the following:
      
      Password: Generating a 2048-bit RSA private key
....+++
.........................................................................................................+++
writing the new private key to 'pks-nsx-t-superuser1.key'
-----
{
  "results" : [ {
    "pem_encoded" : "-----BEGIN CERTIFICATE-----\nMII.........laV\n-----END CERTIFICATE-----\n",
    "used_by" : [ ],
    "resource_type" : "certificate_self_signed",
    "id" : "670c81d9-d1e2-4d7f-941a-d08d########",
    "display_name" : "########",
    "tags" : [ ],
    "_create_user" : "admin",
    "_create_time" : 1601567107129,
    "_last_modified_user" : "admin",
    "_last_modified_time" : 1601567107129,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 0
  } ]

Note: The new certificate will get uploaded to the NSX-T with the Issuer Name "pks-nsx-t-superuser#".  In this example, the issuer is "pks-nsx-t-superuser1".
      Note: The script will create two files  "pks-nsx-t-superuser1.crt"  and "pks-nsx-t-superuser1.key". Make a copy of these files as they will be used to update the TKGi/PKS Tile with the new  NSX-T Superuser certificate in step 5.

   7. Get the new  nsx-t-superuser-certificate "id" value by running a command similar to the following
      
      curl -X GET -u 'admin:<Password>' -k https://<NSX Manager FQDN>/api/v1/trust-management/certificates | jq -r '.results[] | select(.display_name == "<New-Cert-Displayname>")'
      
      Note: Replace <New-Cert-Displayname> with the PI_NAME value used previously.
      
      You will see output similar to the following:
      
      {
  "pem_encoded": "-----BEGIN CERTIFICATE-----\nMII........laV\n-----END CERTIFICATE-----\n",
  "used_by": [],
  "resource_type": "certificate_self_signed",
  "id": "670c81d9-d1e2-4d7f-941a-d08d########",
  "display_name": "########",
  "tags": [],
  "_create_user": "admin",
  "_create_time": 1601567107129,
  "_last_modified_user": "admin",
  "_last_modified_time": 1601567107129,
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 0
}
      
      Note: Make a note of the nsx-t-superuser-certificate ID. In this example, the value is "670c81d9-d1e2-4d7f-941a-d08d########".

   8. Bind the new nsx-t-superuser-certificate to the Principal ID

      1. Create a bind.json file containing the Principal ID  obtained in Step 3 and new nsx-t-superuser-certificate ID  obtained in Step 7.
         
         {
"principal_identity_id": "########-certificate ID",
"certificate_id": "########New_Certificate"
}

Using the values in this example, the file would look like the following:
         
         {
"principal_identity_id": "89819c8b-de0e-4c52-8fa4-dc3b########",
"certificate_id": "670c81d9-d1e2-4d7f-941a-d08d########"
}

      2. Run a command similar to the following to bind the certificate to the principal id:
         
         curl -X POST -u 'admin:<Password>' -k https://<NSX Manager FQDN>/api/v1/trust-management/principal-identities?action=update_certificate -H "Content-Type: application/json" -H "X-Allow-Overwrite: true" -d @bind.json

You will see output similar to the following:
         
         {
  "name" : "########",
  "node_id" : "####",
  "permission_group" : "undefined",
  "role" : "enterprise_admin",
  "certificate_id" : "670c81d9-d1e2-4d7f-941a-d08d########",
  "is_protected" : true,
  "resource_type" : "PrincipalIdentity",
  "id" : "89819c8b-de0e-4c52-8fa4-dc3b########",
  "display_name" : "########",
  "tags" : [ ],
  "_create_user" : "admin",
  "_create_time" : 1593697486134,
  "_last_modified_user" : "admin",
  "_last_modified_time" : 1601591521902,
  "_system_owned" : false,
  "_protection" : "NOT_PROTECTED",
  "_revision" : 1

      3. Run a command similar to the following to validate that the tkgi-nsx-t-superuser principal-id  is bound to the new nsx-t-superuser-certificate
         
         curl -k -X GET -u 'admin:<Password>' -k https://<NSX Manager FQDN>/api/v1/trust-management/principal-identities | jq -r '.results[]| select(.id == "nsx-t-superuser-principal-id")'

You will see output similar to the following:
         
         {
  "name": "########",
  "node_id": "####",
  "permission_group": "undefined",
  "role": "enterprise_admin",
  "certificate_id": "670c81d9-d1e2-4d7f-941a-d08d########",   <<<<<  The new nsx-t-superuser-certificate From step 7
           "is_protected": true,
  "resource_type": "PrincipalIdentity",
  "id": "89819c8b-de0e-4c52-8fa4-dc3b########",
  "display_name": "########",
  "tags": [],
  "_create_user": "admin",
  "_create_time": 1593697486134,
  "_last_modified_user": "admin",
  "_last_modified_time": 1601591521902,
  "_system_owned": false,
  "_protection": "NOT_PROTECTED",
  "_revision": 1
}
   9. Update the TKGi/PKS Tile with the new NSX-T Superuser certificate.
      1. Login to the Ops Manager UI click on the TKGI/PKS tile > Networking.
      2. Find the "NSX Manager Super User Principal Identity Certificate" section.
      3. Click on Change to update the NSX-T superuser certificate and Private Key.
      4. Update the "Certificate" filed with the content in the "########.crt" file and the "Private Key" filed  with the content in the "########.key" file. (Both files should be located in the location where you ran the " create_certificate.sh" script in step 3f)
      5. Save
   10. If you are using certificate authentication with NSX-T on the BOSH tile, make sure to update it with the new NSX-T Superuser certificate.
       1. Login to the Ops Manager UI click on the BOSH tile > vCenter Config.
       2. Find the "NSX Manager Principal Identity Certificate" section.
       3. Click on Change to update the NSX-T superuser certificate and Private Key.
       4. Update the "Certificate" filed with the content in the "########.crt" file and the "Private Key" filed with the content in the "########.key" file. (Both files should be located in the location where you ran the " create_certificate.sh" script in step 3f)
       5. Save
   11. Click on Installation Dashboard and select Review Pending Changes. On the Review Pending Changes page, expand ERRANDS  under "Tanzu Kubernetes Grid Integrated Edition" (or "Enterprise PKS" In version 1.7 and earlier) and enable the "Upgrade all clusters errand" > Click on Apply Changes.

You can validate that the new certificate got updated on the master node by running commands similar to the following:

1. Run the following command on the OpsMan VM to get the Service Deployment UUID
   
   # bosh deployments --column=name | grep service-instance

2. Run the following command export the nsx-t Superuser cert from the master node.
   
   # bosh -d <service-instance_UUID> scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/########.crt .

Ex.
   
   bosh -d service-instance_814f9e24-140d-471e-b4a7-933######## scp master/0:/var/vcap/jobs/pks-nsx-t-prepare-master-vm/config/######## .


3. Run the following command to validate the creation and expiration date of the nsx-t superuser certificate
   
   # openssl x509 -in ########.crt | openssl x509 -issuer -subject -startdate -enddate -noout

Note: You will see output similar to the following:
   
   issuer= /CN=########
subject= /CN=########
notBefore=Oct  2 14:54:21 2020 GMT
notAfter=Oct  2 14:54:21 2022 GMT