NSX Self-Signed Certificate Auto-Renewal
search cancel

NSX Self-Signed Certificate Auto-Renewal

book

Article ID: 412015

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Functionality, impact, and renewal process of NSX Manager self-signed certificates

Environment

NSX 4.2.1

Resolution

From NSX 4.2.1, NSX Manager, auto renews the self-signed certificates when expiry is less than 31 days (not configurable less than 31 days).

  • Below is the API call that is run to retrieve the auto certificate renewal configuration.
    • Login to the NSX manager via putty/ssh as user admin and switch to the root user account by running the command st en
       
       curl -X  GET -H 'Content-Type: application/json' -sN -k -u admin  "https://<NSX-Manager-IP>/policy/api/v1/infra/security-global-config"
      {
        "crl_checking_enabled" : false,
        "ca_signed_only" : false,
        "eku_checking_enabled" : true,
        "automatic_appliance_certificate_renewal_enabled" : true,
        "automatic_appliance_certificate_renewal_lead_time" : 31,
        "id" : "########-####-####-####-#########",
        "_protection" : "NOT_PROTECTED",
        "_create_time" : 1758009379287,
        "_create_user" : "system",
        "_last_modified_time" : 1758009379287,
        "_last_modified_user" : "system",
        "_revision" : 0
      }

 

 

Additional Information

Disabling the auto certificate renewal configuration

  • Execute the API call below to disable the automatic certificate renewal on the NSX manager
    • Login to the NSX manager via putty/ssh as user admin and switch to the root user account by running the command st en
    • To display the current settings of the auto certificate renewal, run the GET command below

curl -X GET -H 'Content-Type: application/json' -H 'X-Allow-Overwrite: true'  -sN -k -u admin  "https://<NSX-Manager-IP>/policy/api/v1/infra/security-global-config"

  • Copy all the contents of the output and included in the commands as shown below. Here, change the automatic_appliance_certificate_renewal_enabled to false.

 

  • To change or disable the automatic cert renewal, run the PUT command below with parameters highlighted after the argument -d 

curl -X PUT -H 'Content-Type: application/json' -d 'Output-from-the-above-command' -sN -k -u   admin "https://<NSX-Manager-IP>/policy/api/v1/infra/security-global-config"

Sample Output :-

  • This will set the automatic_appliance_certificate_renewal_enabled option to false.

curl -X PUT -H 'Content-Type: application/json' -d '{"crl_checking_enabled" : false,"ca_signed_only" : false,"eku_checking_enabled" : true,"automatic_appliance_certificate_renewal_enabled" : false,"automatic_appliance_certificate_renewal_lead_time" : 31,"id" : "########-####-####-####-#########","_protection" : "NOT_PROTECTED","_create_time" : 17558009379287,"_create_user" : "system","_last_modified_time" : 1758800581088,"_last_modified_user" : "admin","_revision" : 0}' -sN -k -u   admin "https://localhost/policy/api/v1/infra/security-global-config"

Note :-
Expiry of internal self-signed certificates does not disrupt existing connected components or data plane traffic.
If NSX manager is associate with any other external components such as VRNI, VROPs etc, ensure that the new self signed certificate reflects in the corresponding components.
Self-signed certificates are only used for internal communications and do not affect VPN/IPSec or east-west/north-south traffic.

Refer to the documentation for more details :- Automatically Replacing Expiring Certificates

Powered by Wolken Software