Replace with CA-signed TLS certificates to various components of NSX version 4.2 and later through the GUI interface.
search cancel

Replace with CA-signed TLS certificates to various components of NSX version 4.2 and later through the GUI interface.

book

Article ID: 419213

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • NSX manager nodes utilizes TLS certificates for internal component communications. 
  • By default, NSX managers use self-signed certificates and can be easily managed and renewed by NSX manager alone
  • NSX also supports CA signed certificates used for a variety of NSX services such as 
    • MGMT_CLUSTER (aka VIP)
    • CBM_CLUSTER_MANAGER
    • K8S_MSG_CLIENT
    • CBM_CORFU
    • CCP
    • APH_TN
    • LOCAL_MANAGER
    • GLOBAL_MANAGER
    • APH (aka APH_AR)
    • API
    • WEB_PROXY
  • However, when above services using the CA signed certificates that are expiring/expired, the environment manager will need to perform the part of cert renewal through their Certificate Authority software and export the new certs ready to be used for replacement. 
    • Replacement CA signed cert needs to match the existing cert's extensions such as Subject Alternative Name, Common Name, and the certificate must contain the Basic Constraints extension basicConstraints = cA:FALSE.

Environment

VMware NSX 4.2

Resolution

Once the renewed CA signed certs are ready, you can follow the below steps to replace the corresponding services:

  • With admin privileges, log in to NSX Manager.
  • Navigate to System > Certificates.
  • To replace a certificate, perform the following steps:
    • Select the certificates you want to replace, and click Actions > Replace Certificates.
    • In the Replace Certificates dialog box, click on the three dots drop down menu and select "Import Certificates"
    • Supply the information for the imported cert then import and save (Browse to the private key file on your computer and add the file. Private key is an optional field if imported certificate is based on NSX Manager generated CSR, as a private key exists on the NSX Manager appliance).
    • NSX manager will finalize the replacement, you may see brief UI refresh when this is happening.
    • This process usually does not affect NSX functionalities and should not have any impact on data plane activities as well.
  • One CA signed cert can only be used for one service, if you are attempting to use the same cert again, the NSX manager will show an error that the cert has already being used. (In NSX 4.2 and later the APH, APH_TN, and CCP certificates have been consolidated into one, and also the API services and MGMT_CLUSTER (aka VIP) certificates have been consolidated into one. Reference doc: Certificates).

    Additional Information

    Replace Certificates Through NSX Manager

    NSX Certificates

    Powered by Wolken Software