How to renew the expired NSX manager API certificates and the certificate for Management cluster
search cancel

How to renew the expired NSX manager API certificates and the certificate for Management cluster

book

Article ID: 413431

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

- There is a CA cert that is expired had these 3 API certificates for the 3 NSX managers and 1 for management cluster and you want them to be replaced with new self signed certificates

 

Environment

VMware NSX

Cause

Expired API certificates on an NSX Manager can disrupt secure communication and lead to various issues, including authentication failures.

Resolution

Renew the API certificates of all the NSX managers and the certificate for the management cluster:

Creating a self signed certificates:

      1. With admin privileges, log in to NSX Manager.
      2. Select System > Certificates. Click the CSRs tab.
      3. From your selected CSR, click Available actions and select Self Sign Certificate for CSR.
      4. Enter the number of days the self-signed certificate is valid.
          The default is 825 days. Even if you change this value for previously generated self-signed certificate, the default value is displayed every time you generate a new certificate.
      5. Choose your Service Certificate type.
          Toggle the Service Certificate button to Yes to use this certificate for services such as load balancer, VPN, or TLS Inspection. If you are creating a self-signed CA certificate, Yes is the only choice.
          Toggle the Service Certificate button to No to use this certificate with NSX Manager appliance nodes.
      6. Click Save.
The self-signed certificate appears in the Certificates tab. 

Validating and assigning the certificate:

 
  1. Within NSX UI > System > Certificates, locate the newly created certificate 
  2. Confirm the new certificate has a value of "0" in the "Where Used" column
  3. Expand the entry for the certificate and copy the "ID" value
  4. Copy the NSX manager UUID by going to the NSX UI > System > Appliances, click on the View Details for the replaced NSX manager, and click on the Copy to Clipboard icon next to "UUID"
  5. Use the API calls in the following documentation for replacing certificates:
    https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/certificates/importing-certificates/replace-certificates-through-api.html
  6. Verify that the certificate is valid by making the following API call:

    GET /api/v1/trust-management/certificates/<certificate_ID>?action=validate

  7. a) To replace the API certificate of a manager node, use the following API call (do this for all the 3 manager nodes).

    POST /api/v1/trust-management/certificates/<certificate_ID>?action=apply_certificate&service_type=API&node_id=<manager_node_uuid>

    • Replace <certificate_ID> with the certificate ID from Step 3
    • Replace <manager_node_uuid> with the manager node UUID from Step 4

         b) To replace the certificate of the manager cluster VIP, use the API call:

         POST /api/v1/trust-management/certificates/<certificate_ID>?action=apply_certificate&service_type=MGMT_CLUSTER

     8. Confirm on the NSX UI > System > Certificate page that the new certificates has been applied to the NSX manager nodes with service type API and the management cluster

Additional Information

Powered by Wolken Software