This document describes the processes and resources needed for replacing SSL certificates for NSX-T
Determine which certs need to be replaced as well as requirements:
When a warning is seen about the certificates expiring, the status of all current certs can be found in System -> Certificates. Specifically look at the 'Validity', 'Expire Date' and 'Where Used' fields. If 'Where Used' is 0, then the certificate is not being used as a cluster or federation cert.
Here is a screenshot on NSX-T 4.x, showing the certificate view:
If the cert is being replaced for a reason other than expiring, detemine whether the environment is using federation and if just the manager certs or manager and federation certs are being replaced.
For a reference on the different types of certs available for replacement see Types of Certificates..
Determine the customer requirements:
Generate and sign replacement certificates using the appropriate method determined by requirements:
Once the certs that need to be replaced have been determined and the requirements for those certs, follow the processes below to get the certificates generated and signed.
Validate Certificates:
Now that certs are either imported or generated and signed, before assigning to a service, verify that NSX-T sees the certificates as valid by running the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
To get the certificate ID, copy the 'ID' field seen in the manager GUI, or use the following API call to list all certificates and simply use the value of the 'id' field:
GET https://<nsx-mgr>/api/v1/trust-management/certificates
Replace generated certificates:
API call for replacing the certs are covered in "Replace Certificates"
Supporting Documents:
For documentation on the different certificate types for federation and the managers see "Certificates for NSX Federation" and "Types of Certificates".
User-Imported CA-Signed Certificate is Expired - The CA-signed certificate that you imported to the NSX Manager appliance host has expired and you are unable to continue working with the NSX Application Platform.
Known Issues:
NSX alarms indicating certificates have expired or are expiring - certificate expires after 825 days in 3.2.1 - replace_cert.py script here to replace them automatically.
NSX Manager/NSX Global-Manager UI Not Accessible After Replacing CBM_* Certificates in 4.1.1 - after upgrade from 3.2.x to 4.1.1, when CBM_* certificate s replaced, UI is inaccessible.
Scripted process to Replace Expired or Self-signed VMware NSX-T Manager Certificates with VMCA-Signed Certificates - This KB helps to automate the entire process with a script.
NSX UI/API certificate is not in use on an NSX manager node - When viewing the System > Settings > Certificates page, you see that one of the API/UI certificates has a value of 0 in the Where Used column.
NSX Manager/NSX Global-Manager UI Not Accessible After Replacing CBM_* Certificates in 4.1.1 - This article provides the steps to bring up UI on one NSX manager node.
NSX-T Federation assigning Certificate to Local Manager fails with "Expected 1 local site certificate with service type LOCAL_MANAGER but found 0." - This issue occurs when the original local manager certificate was removed before the new one was applied.
NSX-T Federation Deployment: Connection from Local Manager to the Global Manager is broken in the NSX Federation after replacing the Local Managers mp-cluster certificate - The user sees that the "Appliances", "Latest Backup", "Automatic Backups" and "Remote Tunnel Endpoint Status" status on one/all Local Managers are "Not available"
VMware NSX Federation LOCAL_MANAGER or GLOBAL_MANAGER replaced expired certificate still alerting as expired - This is a known issue impacting VMware NSX.