How to replace a Principal Identity Certificate in NSX
search cancel

How to replace a Principal Identity Certificate in NSX

book

Article ID: 401536

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • This article provides the steps for replacing NSX Principal Identity (PI) Certificate:

Environment

VMware NSX

Cause

A PI certificate is used for authentication with a remote entity, NSX will have the certificate (not the key), the remote entity will own the certificate and the key.

When the remote entity makes an authentication request using the PI user, NSX presents the certificate and the remote entity will use the key it has to verify the connection.

Resolution

NSX Self Signed Certificate

Self Signed Certificates generated on NSX can not be used for PI connections to NSX.

 

CA Signed Certificate

The remote entity should generate a CA signed certificate with key and retain the key and certificate.

Use the certificate when creating the PI user in NSX.

Since NSX 4.2.1, the certificate can be replaced in the NSX UI, prior to this, it was only possible using API calls.

    1. In System > Certificates, import the new certificate only, not the key from the remote entity.
    2. Locate the PI in the certificates list.
    3. Click on the ellipsis (three dots) on the left side of the entry.
    4. Select Replace Certificate and chose the certificate that was imported for PI.

If you are on a version prior to 4.2.1 or API use is preferred, use the following procedure.

    1. In System > Certificates, import the new certificate only, not the key from the remote entity.
    2. Expand the imported certificate and note the certificate ID.
    3. Use the API call below to get the PI ID of the expiring/expired certificate:
      GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
    4. Use the POST API call below to apply the new Certificate ID along with the PI ID obtained from step 3:
      POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
      {
          "principal_identity_id": "########-####-####-####-############",
          "certificate_id" : "########-####-####-####-############"
      }
  1.  

Note: Do not use this procedure to replace Local Manager or Global Manager principal identity certificates Replace Certificates Through API

More details on Importing/Replacing PI Certificates can be found in the Administration Guide Add a Role Assignment or Principal Identity

Powered by Wolken Software