Generating NSX-T Federation certificate for Standby Global Manager without a failover.
search cancel

Generating NSX-T Federation certificate for Standby Global Manager without a failover.

book

Article ID: 369274

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • From NSX-T federation 3.2.X onwards the certificate import and generate options are greyed out on standby Global Manager (GM).
  • This requires a failover to the standby Global Manager to make it the active manager, and then new certificates can be generated.
  • However, if failover is not permit, the following workaround steps can be used to generate and replace the certificates on the standby GM without a failover.

 

Environment

VMware NSX-T Datacenter

VMware NSX

Resolution

  1. Generate the new certificate as required from the Active GM UI, note down the certificate UUID.

    Example: Created a new "TEST" certificate from Active GM "uuid" #####--###--###--####"

    Active GM:



  2. Use the GET curl API call to get the details of the certificate from Active GM CLI (via root user).

    The API call will result the content of certificate and private Key.

    #curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>?action=get_private"

    root@AGM:~# curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/#####--###--###--####?action=get_private"

    {
    "display_name": "TEST-CERT-FROM-ACTIVE",
      "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
      "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
      "key_algo" : "RSA",
      "_protection" : "NOT_PROTECTED"
    }

    note: After export the generated new certificate, delete the certificate from the Active GM

  3. Copy the content of PEM certificate and key (change the certificate display name if needed to distinguish for Standby GM in like display name": "STANDBY_GM_CERT").
  4. Import the certificate and key content on the standby GM using IMPORT API call by putting the content from step-3 in the body of the below POST API call for standby GM.

Note: In the certificate content do not remove the /n character, copy and paste the same content including /n, collected using the GET API call to import it correctly. Also "display_name":"" field can be added as needed, if its not there.

Using curl command follow the below steps.

1. Login to Standby GM via SSH using root user and create a new file in /tmp directory with name 'payload.json' which should contain below content.

{
"display_name": "TEST-CERT-FROM-ACTIVE",
  "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
  "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
  "key_algo" : "RSA",
  "_protection" : "NOT_PROTECTED"
}

2. Then run below POST API call to import the certificate.

Using curl:

curl -k -H "Content-Type: application/json" -u admin -X POST "https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import" --data /tmp/payload.json

Using postman client:

POST https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import

Put the 'payload.json' content in body field.

Standby GM:

 

 After the certificate is imported on the standby GM, Replace the certificate using the replace certificate documentation.

Certificate-Replacement-3.2.x

Certificate-Replacement-4.x

Powered by Wolken Software