This article explains about how to create NSX Manager & NSX Manager Superuser Principal Identity Certificates.

VMware PKS 1.x

You will provide the NSX Manager & Superuser Principal Identify certificates in the Ops manager while deploying Bosh/PKS tiles.

To generate and register these certificates, see the below pages in VMware PKS documentation:

• Generating and Registering the NSX Manager Certificate for PKS
• Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key

Workaround:
Alternatively, use the following two scripts to generate the Super User Principal Identity certificate and private key and register the identity with NSX Manager:

• create_certificate.sh – Creates the certificate and private key and uploads the certificate to NSX Manager
• create_pi.sh – Creates the principal identity from the certificate and registers the identity with NSX Manager

NOTE: These scripts must be run on a Linux host with OpenSSL installed. In addition, the Linux host must be able to call the NSX Manager API. A good place to run these scripts is the PKS Client VM where the PKS CLI is installed.

1. Download the scripts:
   http://storage.googleapis.com/pks-releases/scripts/create_certificate.sh
   http://storage.googleapis.com/pks-releases/scripts/create_pi.sh
    
2. Log into a Linux VM in your PKS environment, such as the PKS Client VM.
    
3. Run the following command to create an empty file for the first script: nano create_certificate.sh
    
4. Copy the contents of the create_certificate.sh script you downloaded to the new file you created.
    
5. Update the values for the first two lines to match your environment:
   • NSX_MANAGER_IP – IP address of the NSX Manager host
   • NSX_MANAGER_USERNAME – Username for NSX Manager
      
6. Save the script and run it using the following command: bash create_certificate.sh
    
7. When prompted enter the NSX_MANAGER_PASSWORD for the NSX user you provided in the script.
    
8. Verify results: the certifcate and private key are generated; the certificate is uploaded to the NSX Manager and the CERTIFICATE_ID value is returned to the console. You need this ID for the second script.
    
9. Run the following command to create an empty file for the second script: nano create_pi.sh
    
10. Copy the contents of create_pi.sh script you download to the new file you created.
     
11. Update the values for the first three lines to match your environment.
    • NSX_MANAGER_IP – IP address of the NSX Manager host
    • NSX_MANAGER_USERNAME – Username for NSX Manager
    • CERTIFICATE_ID – Returned from the create_certificate.sh script
       
12. Save the script and run it using the following command: bash create_pi.sh
     
13. When prompted enter the NSX_MANAGER_PASSWORD for the NSX user you provided in the script.
     
14. During configuration of PKS, copy/paste the contents of the certificate and private key to the NSX Manager Super User Principal Identity Certificate fields in the Networking tab of the PKS tile.