NSX-T Federation certificate generation from Standby GM without failover.
search cancel

NSX-T Federation certificate generation from Standby GM without failover.

book

Article ID: 369274

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • From NSX-T federation 3.2.3 onwards the certificate import and generate options are greyed out on standby GM.
  • This required either failover of standby GM to make it as active and then Generate new certificates.
  • However, if a customer does not permit a failover, the following workaround steps can be used to generate and replace the certificates on the standby GM without a failover.

 

Environment

VMware NSX

Resolution

  1. Generate the new certificate as required from the Active GM UI, note down the certificate UUID.

    Example: Created a new "TEST" certificate from Active GM "uuid" 24###--###--###--##11"

    Active GM:


  2. Use the GET curl API call to get the details of the certificate from Active GM cli.

    The API call will result the content of certificate and private Key.

    #curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>?action=get_private"

    root@AGM:~# curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/24###--###--###--##11?action=get_private"

    {
    "display_name": "TEST-CERT-FROM-ACTIVE",
      "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
      "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
      "key_algo" : "RSA",
      "_protection" : "NOT_PROTECTED"
    }

  3. Copy the content of pem certificate and key (You can change the certificate display name if needed to distinguish for Standby GM in like display_name": "STANDBY_GM_CERT").
  4. Import the certificate and key content on the standby GM using IMPORT API call by putting the content from step-3 in the body of the below POST API call for standby GM..

    POST https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import

    Standby GM:

 

   After the certificate is imported on the standby GM, you can replace the certificate using the Replace Certificates documentation.