Generating and applying NSX-T Federation certificates for Standby Global Manager
search cancel

Generating and applying NSX-T Federation certificates for Standby Global Manager

book

Article ID: 369274

calendar_today

Updated On: 03-27-2025

Products

VMware NSX

Issue/Introduction

  • From NSX-T federation 3.2.X onwards, the certificate import and generate options are deactivated and greyed out on the Standby Global Manager (GM).
  • This requires a failover to the Standby Global Manager to make it the active manager, and then new certificates can be generated.
  • However, if failover is not permitted, the following workaround steps can be used to generate and replace the certificates on the Standby GM without a failover.

 

Environment

VMware NSX-T 3.2.x
VMware NSX 4.0.x, 4.1.x

Resolution

This issue is resolved in NSX 4.2.0 and above where full certificate lifecycle is available on the Standby Global Manager UI.


For impacted versions the following workaround can be used to update certificates without performing a failover.

  1. Generate the new certificate as required from the Active GM UI, note down the certificate UUID.

    Example: Created a new "TEST" certificate from Active GM "uuid" #####--###--###--####"

    Active GM:



  2. Use the GET curl API call to get the details of the certificate from Active GM CLI (via root user).

    The API call will result the content of certificate and private Key.

    #curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>?action=get_private"

    root@AGM:~# curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/#####--###--###--####?action=get_private"

    {
    "display_name": "TEST-CERT-FROM-ACTIVE",
      "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
      "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
      "key_algo" : "RSA",
      "_protection" : "NOT_PROTECTED"
    }

    Note: After exporting the generated new certificate, delete the certificate from the Active GM

  3. Copy the content of PEM certificate and key (change the certificate display name if needed to distinguish for Standby GM in like display name": "STANDBY_GM_CERT").
  4. Import the certificate and key content on the Standby GM using IMPORT API call by putting the content from step-3 in the body of the below POST API call for Standby GM.

Note: In the certificate content, do not remove the \n character, copy and paste the same content including \n, collected using the GET API call to import it correctly. Also "display_name":"" field can be added as needed, if its not there.

Using curl command follow the below steps.

  1. Login to Standby GM via SSH using root user and create a new file in /tmp directory with name 'payload.json' which should contain below content.

    {
    "display_name": "TEST-CERT-FROM-ACTIVE",
      "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
      "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
      "key_algo" : "RSA",
      "_protection" : "NOT_PROTECTED"
    }

  2. Then run below POST API call to import the certificate.

    Using curl:
    curl -k -H "Content-Type: application/json" -u admin -X POST "https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import" --data /tmp/payload.json

    Using postman client:
    POST https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import

    Put the 'payload.json' content in body field.


Standby GM:

 

 After the certificate is imported on the Standby GM, Replace the certificate using the replace certificate documentation.

Certificate-Replacement-3.2.x

Certificate-Replacement-4.x

Powered by Wolken Software