• When replacing NSX certificates, you may see a 400 Bad Request Error message with the following details:
  
  "Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)"
  
  
• You will also see the same error in /var/log/proton/nsxapi.log 

2024-10-31T04:42:44.361Z NSX 13877 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'common-services' Operation:'POST@/api/v1/trust-management/certificates/???' Operation status: 'failure' Error: Principal 'admin' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$Certificate it doesn't own. (createUser=nsx_policy, allowOverwrite=null)
  
  Note: The error states that the 'admin' user cannot modify an object of the 'nsx_policy' user. 

VMware NSX-T Data Center

• In some rare cases, both a service certificate and platform certificate can be attached to an NSX Manager node.
• You will see that the old service certificate and platform certificate exist as "used_by" of each NSX manager node, per the following example:
  
  

  0. manager node
  "fqdn": "mgrnode.example.com", 
  "msg_clients": [
    {
      "clients": [
      ...
      ],
      "entity_type": "CONTROLLER"
    },
    {
      "clients": [
      ...
      ],
      "entity_type": "MANAGER"
    }
  ],
  "node_uuid": "aaaa",  ------------------------!
  "status": "JOINED"
  
  1. platform
   "_create_user": "admin", ---------------------!
   "_last_modified_user": "system",
   "_protection": "NOT_PROTECTED",
   "_revision": 12,
   "_system_owned": false,
   "display_name": "Platform Certificate",
   "has_private_key": true,
   "id": "bbbb",
   "resource_type": "certificate_signed",-----------------!
   "used_by": [
   {
   "node_id": "aaaa",----------------!
   "service_types": [
   "API"
   ]
  
  2. service
    "_create_user": "nsx_policy", --------------------------------!!!!!!!!
    "_last_modified_user": "system",
    "_protection": "PROTECTED",
    "_revision": 3,
    "_system_owned": false,
    "display_name": "Service Certificate",
    "has_private_key": true,
    "id": "cccc",
  ----- snip -----
    ],
    "used_by": [
      {
        "node_id": "aaaa", -------!
        "service_types": [
          "API"
        ]
      },
  

• The 'create_user' of the service certificate is 'nsx_policy'.
• The certificate for mgrnode.example.com cannot be modified because the service certificate is attached to the node and its 'create_user' is set to 'nsx_policy'. This will result in an error since the API is executed with the 'admin' user.

If you believe you have encountered this issue, please open a support case with Broadcom Support and refer to this KB article.

For more information, see Creating and managing Broadcom support cases.