Cannot update the principal identity certificate in NSX
Article ID: 418177
Updated On:
Products
Issue/Introduction
- Principal Identity certificate replacement throws an error.
Error: Cannot update the principal identity certificate when it has a private key. Try replacing the certificate at its origin. (Error code: 2605)
Environment
VMware NSX
Cause
When the CSR is created from NSX, the private key will automatically be associated with the CSR upon signing.
Resolution
Follow the steps below to resolve the Error "Cannot update the principal identity certificate when it has a private key. Try replacing the certificate at its origin. (Error code: 2605)"
Step 1 - Log in to NSX, then go to the system -> Certificate section. And create a self-signed certificate.
Step 2 - Use the export option on the new certificate to save that file as .pem format.
Sample downloaded .pem file.
Step 3 - Delete the newly created certificate from the NSX UI.
Step 4 - Go to the expired Principal Identity certificate and click 'Replace Certificate"
Step 5 - In the replace certificate pop-up select the 'Select Service/Entity' drop-down and select 'Import Certificate'.
Step 6 - Fill the import certificate section with a name and paste the PEM file content into the 'Certificate content' section.
Step 7 - Leave the other fields blank.
Step 8 - Save and Apply. This will replace the old certificate with the new certificate.
Additional Information
https://knowledge.broadcom.com/external/article/401536/how-to-replace-a-principal-identity-cert.html
If the replace certificate option is not available on the new certificate, follow the steps below.
1 - After following steps 1 - 3 from the resolution section, go to step 6 directly to complete the import. Make sure to uncheck the service certificate checkbox.
2 - Once the certificate is imported, follow the API method to replace the principal identity certificate https://knowledge.broadcom.com/external/article/401536/how-to-replace-a-principal-identity-cert.html
Feedback
