This article provides the steps for replacing NSX Principal Identity Certificate 

VMware NSX-T Data Center

VMware NSX

Self Signed Certificate

1. Generate a new self-signed certificate 
2. Use the API call below to get the Principal Identity ID of the expiring/expired certificate
   • GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
3. Use the POST API call below to apply the new Certificate ID along with the principal identity ID obtained from step 2 
   • POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
{
    "principal_identity_id": "########-####-####-####-############",
    "certificate_id" : "########-####-####-####-############"
}

CA Signed Certificate

1. Generate a new CSR on NSX Manager 
2.  Download the CSR file and submit to a Certificate Authority (CA) for signing
3.  Import the signed certificate in to NSX 
4. Use the API call below to get the Principal Identity ID of the expiring/expired certificate
   • GET https://<nsx-mgr>/api/v1/trust-management/principal-identities
5. Use the POST API call below to apply the new CA signed Certificate ID along with the principal identity ID obtained from step 4 
   • POST https://<nsx-mgr>/api/v1/trust-management/principal-identities?action=update_certificate
{
    "principal_identity_id": "########-####-####-####-############",
    "certificate_id" : "########-####-####-####-############"
}

Note: Do not use this procedure to replace Local Manager or Global Manager principal identity certificates. 

For additional information and the procedure to replace Local Manager or Global Manager principal identity certificates, please reference  Add a Role Assignment or Principal Identity