NSX-T Federation certificate generation from Standby GM without failover.
book
Article ID: 369274
calendar_today
Updated On:
Products
VMware NSX
Issue/Introduction
From NSX-T federation 3.2.3 onwards the certificate import and generate options are greyed out on standby GM.
This required either failover of standby GM to make it as active and then Generate new certificates.
However, if a customer does not permit a failover, the following workaround steps can be used to generate and replace the certificates on the standby GM without a failover.
Environment
VMware NSX
Resolution
Generate the new certificate as required from the Active GM UI, note down the certificate UUID.
Example: Created a new "TEST" certificate from Active GM "uuid" 24###--###--###--##11"
Active GM:
Use the GET curl API call to get the details of the certificate from Active GM cli.
The API call will result the content of certificate and private Key.
Copy the content of pem certificate and key (You can change the certificate display name if needed to distinguish for Standby GM in like display_name": "STANDBY_GM_CERT").
Import the certificate and key content on the standby GM using IMPORT API call by putting the content from step-3 in the body of the below POST API call for standby GM..