Certificate Key-Pairs used by the NSX-T Manager in NSX-T 4.2.0 G.A. and later
search cancel

Certificate Key-Pairs used by the NSX-T Manager in NSX-T 4.2.0 G.A. and later

book

Article ID: 415204

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This article outlines the X509 certificate key-pairs that are in use in NSX-T 4.2.0 G.A. and later. There is also a table of certificates that have been deprecated as of 4.2.0 G.A.

Environment

VMware NSX

Resolution

NSX-T certificates that are valid as of NSX-T 4.2.0 G.A.

 Service Type(This is the name to use for all external documentation)ApplicationAlias(Default) algorithm keysizePortClient/ServerDescriptionReplaceable via UIExpiry time
1APIReverse ProxytomcatRSA 2048443ServerAPI server certificate for NSX Manager nodeY825 days
2MGMT_CLUSTER
(aka VIP)		Reverse Proxymp-clusterRSA 2048443ServerAPI server certificate for NSX Manager VIPY825 days
3APH_TNAppliance Proxy RSA 20481234Server and ClientAppliance Proxy server public keyY3650 days
4APH
(aka APH_AR)		Appliance Proxy RSA 20481236ServerAR server public keyY825 days
5CLIENT_AUTH (aka PI)UAPI aliasRSA 2048443ClientAPI client certificates for Principal Identity (no keys)Y
Customer decides
6LOCAL_MANAGERUALocalManagerRSA 2048443ClientLocalManager Principal Identity certificate used to communicate with other sites in FederationY825 days
7GLOBAL_MANAGERUAGlobalManagerRSA 2048443ClientGlobalManager Principal Identity certificate used to communicate with other sites in FederationY825 days
8CBM_CLUSTER_MANAGERCBMselfRSA 20489000ClientCorfu Client CertificateY100 years
9CBM_CORFUCBMselfRSA 2048client portServerCorfu server certificateY100 years
10CCPCCPselfRSA 20481235ServerCCP certificateY3650 days
11K8S_MSG_CLIENTNAPP/SSPk8s-msg-clientRSA 2048N/AClientMessage Bus Client for K8S Platform Certificate ProfileN825 days
12COMPUTE_MANAGERCOMPUTE_MANAGER  N/AClientUser will pass certificate while add/edit compute manager, NSX first imports the certificate using trust-management API POST /v1/trust-management/certificates?action=import and uses it in CM and then uses a reserve API to map that certificate for CM POST /v1/trust-management/certificates/<certId>?action=reserve
When deleting the CM, we release certificate /v1/trust-management/certificates/<certId>?action=release and delete it v1/trust-management/certificates/<certId>		Y 
13TNTNN/ARSA 2048N/AClient N825 days
14WEB_PROXYWeb (Forward) Proxy WEB_PROXYcertificate is provided by customer, we don't have control on this.certificate is provided by customer, we don't have control on this.Servercertificate that used for communicate between NSX - proxy and any outside server(i.e notification watcher)Y
certificate is provided by customer.
15NAPP_COMMON_AGENTSSPnapp-common-agentRSA 2048N/AClientSSP client certificate for communicating with SSP common agent
Only activated after onboarded to SSP		N825 days
16NAPP_PACE_AGENTSSPnapp-intel-agentRSA 2048N/AClientSSP client certificate for communicating with SSP intelligence agent
Only activated after onboarded to SSP		N825 days
17NAPP_METRICS_AGENTSSPnapp-metrics-agentRSA 2048N/AClientSSP client certificate for communicating with SSP metrics agent
Only activated after onboarded to SSP		N825 days
18LOGGINGRSYSLOG (For TLS logging server)
LIAGENT (For LI-TLS logging server)		RSYSLOG(For TLS logging server):
syslog-ca:<exporter_name>
syslog-client-ca:<exporter_name>
RSYSLOG_CLIENT
LIAGENT (For LI-TLS logging server):
Not stored in NSX trust management store		Keys and certificates are provided by customer, we don't have control on this.Keys and certificates are provided by customer.Client and ServerClient certificate and Server certificate for TLS communication between RSYSLOG/LIAGENT running in NSX and remote logging server.N
Keys and certificates are provided by customers
19NEST_DB      N 

 

Deprecated NSX-T certificates as of NSX-T 4.2.0 G.A.

 Service Type(This is the name to use for all external documentation)ApplicationAliasAlgorithmKey-SizeProtocolPortDescriptionExpiry timeNotes
1RABBITMQRabbitMQ RSA 2048 5671RabbitMQ public key1825 daysNo longer used.
2CBM_APICBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated in version 4.2
3CBM_ARCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated in version 4.2
4CBM_CCPCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated in version 4.2
5CBM_CSMCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
6CBM_GMCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
7CBM_IDPS_REPORTINGCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
8CBM_MONITORINGCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
9CBM_MPCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
10CBM_CM_INVENTORYCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
11CBM_UPGRADE_COORDINATORCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
12CBM_SITE_MANAGERCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
13CBM_MESSAGING_MANAGERCBMselfRSA 2048TLS 1.2client portCorfu client certificate100 yearsDeprecated version 4.2
14CSMCSMtomcat      
15ANALYTICS_AGENT collector-agentRSA 2048   NY
16ANALYTICS_KAFKA kafkaRSA 2048   NY

 

Reference Key:

APH = Appliance Proxy Hub

AR = Aysnchronous Replicator

CBM = Cluster Boot Manager

CCP = Control Config Plane

CSM = Cloud Service Manager

GM = Global Manager

MP = Management Plane (Proton)

TN = Transport Node

UA = Unified Appliance

VMC = VMware Cloud

NAPP = NSX Application Platform (aka: NSX Intelligence)

CSM = Cloud Service Manager

 

Additional Information

Powered by Wolken Software