Troubleshooting NSX Manager SSL Certificates
search cancel

Troubleshooting NSX Manager SSL Certificates

book

Article ID: 380457

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article explains how to replace the SSL certificates used by NSX-T (NSX Manager) and links to the documentation you need for each method.

Environment

VMware NSX

Resolution

Determine which certificates need to be replaced, and your requirements

If you see a warning that certificates are expiring, check the status of all current certificates in System → Certificates. Look at the Validity, Expire Date, and Where Used fields. If Where Used is 0, that certificate is not in use as a cluster or federation certificate.

Here is a screenshot on NSX-T 4.x showing the certificate view:

(NSX-T 4.x System → Certificates page, showing the Validity, Expire Date, and Where Used columns.)

If you're replacing a certificate for a reason other than expiry, first determine whether your environment uses federation, and whether you're replacing only the manager certificates or both the manager and federation certificates.

For details on the certificate types available for replacement, see Types of Certificates.

Determine your requirements:

  1. Will you use self-signed SSL certificates?
  2. Do the certificates need to be signed by an external CA (certificate authority)?
  3. Do the certificates need to be created outside NSX-T? Common reasons:
    1. You need to add extra Subject Alternative Names (SANs) so fewer certificates are needed overall.
    2. You want to use an existing wildcard certificate.
    3. You need access to the certificate and private key to import into another system.
    4. You want the certificate to be automatically trusted through ADFS or another PKI system.
  4. Are you using VMware Cloud Foundation (VCF)?

Generate and sign the replacement certificates using the method that matches your requirements:

Once you've identified which certificates to replace and your requirements for them, follow the matching process below to generate and sign them.

  • Self-signed certificates - If you're using self-signed certificates (question 1 is yes, and 2 and 3 are no:
  • CA-signed certificates: If an external CA will sign your certificates and you don't need access to the private key (question 3 is no), follow these steps:
  • Externally created certificates: If you need to generate the certificates outside NSX-T for any reason, follow these steps:
    •  After generating the certificate, if it needs to be signed by an external CA, first generate a CSR using Create a Certificate Signing Request File.
    • Send the CSR to a CA for signing. The CA returns the signed certificate along with the chain of root certificates it uses.
    • Import the signed certificate (returned by the CA) together with the private key used to generate it, by following Import a Self-signed or CA-signed Certificate. Be sure to include the private key and the password used during generation.

Validate Certificates:

Now that the certificates are imported or generated and signed, verify that NSX-T sees them as valid before assigning them to a service. Run the following API call:

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
To find the certificate ID, copy the ID field shown in the NSX Manager UI, or run the following API call to list all certificates and use the value of its id field:
GET https://<nsx-mgr>/api/v1/trust-management/certificates

Replace generated certificates:

Before NSX 4.2: API call for replacing the certs are covered in Replace Certificates.

  • If you're replacing API certificates, use steps 1-5 of Replace Certificates. Step 4 is the API call for the Manager API certificate and step 5 is for the overall shows the API call for the overall cluster VIP certificate. 
  • If you're replacing NSX Federation certificates, use steps 1-3, then step 6 for the principal identity certificate and/or step 7 for the APR-APH certificate.

NSX 4.2 and above:

Additional Information

Supporting Documents:

For documentation on the different certificate types for federation and the managers see Certificates for NSX Federation and Types of Certificates

 

Known Issues: