Replacing Expired Local Manager Certificates. Unable to remove expired LM certificate, and encountering the error message: "No Certificate Profile of type LOCAL_MANAGER available for the current node-type."
search cancel

Replacing Expired Local Manager Certificates. Unable to remove expired LM certificate, and encountering the error message: "No Certificate Profile of type LOCAL_MANAGER available for the current node-type."

book

Article ID: 381079

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article provides guidance on replacing expired or outdated Local Manager (LM) certificates in NSX 3.x. The process includes removing an expired certificate and assigning a new one.

Issue: Unable to remove expired LM certificate, and encountering the error message:

 
"error_message": "No Certificate Profile of type LOCAL_MANAGER available for the current node-type."
 
Example API Call with Error:
 

Environment

VMware NSX 3.x

Cause

The expected certificate profile for LOCAL_MANAGER may not be created or configured on the NSX-T Manager. This can happen if the setup process was incomplete or if the profiles were deleted or not assigned correctly.

Resolution

To replace the expired Local Manager certificate in NSX 3.x, follow these steps:

  1. Open Postman API Client

    • Ensure you have the Postman API client installed and configured.
  2. Set Up API Request in Postman

    • Replace <nsx-mgr> with your NSX-T Manager server’s IP or hostname in the URL below:
       
      POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
       
    • Configure the request as follows:
      • Method: POST
      • Authorization Tab: Select Basic Auth and enter your NSX-T Manager login credentials.
      • Headers Tab: Set Content-Type to application/json.
      • Body Tab:
        • Choose raw format.
        • Select JSON.
        • Copy the following payload to the body, replacing <id> with the new certificate ID:
           
          { "cert_id": "<id>", "service_type": "LOCAL_MANAGER" }
           
    • Send the Request: Click Send to apply the new certificate.
  3. Verify the New Certificate Assignment

    • Log into the NSX-T Manager interface, refresh the UI, and confirm the new certificate is applied to the Local Manager by checking the "where used" status.
  4. Check Certificate Usage (for Earlier NSX-T Versions)

    • In earlier NSX-T versions, "where used" details may not be visible in the UI. Use the following API call to verify if the certificate is in use:
      • To check all certificates:
         
        GET https://<nsx-mgr>/api/v1/trust-management/certificates
         
      • To check a specific certificate by ID:
         
        GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>
         
    • Look for "used_by": [] in the response, which indicates that the certificate is not in use.
  5. Delete the Old Certificate

    • Once you have confirmed that the expired certificate is no longer in use, proceed to delete it from NSX-T Manager.

Additional Information

For further information, refer to VMware’s official documentation on replacing certificates in NSX-T: VMware NSX-T Certificate Replacement Documentation.