Replace NSX certificates (API and management cluster VIP) using the REST APIs
search cancel

Replace NSX certificates (API and management cluster VIP) using the REST APIs

book

Article ID: 421552

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

- Replace the expired NSX certificates using the API calls if CARR script is not applicable (in case of CA certificates)

Environment

VMware NSX 

Resolution

Option 1: 

(works only for Self Signed certificates)

Use CARR script to replace the certificates, please refer to Using Certificate Analyzer, Results and Recovery (CARR) Script to fix certificate related issues in NSX

Option 2:

(works for both CA certificates or Self Signed certificates)

Using this document, create the self signed cert: Create a Self Signed Certificate

Use this KB (Obtaining and Importing the CA signed certificate) the and reference document for CA certificate: Import the CA Signed Certificate

 1. With admin privileges, log in to  NSX Manager.
 2. Select System>Certificates
 3. In the ID column, select the ID of the new certificate you want to use and copy the certificate ID from the pop-up window. Make sure that when this certificate was imported, the option Service Certificate was set to No. And for CA cert, the server certificate must contain the Basic Constraints extension basicConstraints = CA:FALSE
     Note: The certificate chain must be in the industry standard order of certificate - intermediate - root. 
 4. Verify that the certificate is valid by making the following API call: 
     GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
 5. To replace the API certificate of a manager node, use the following API call. To find your Unified Appliance node ID, refer to Finding Node IDs for Certificate API Calls.
      POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
 6. To replace the certificate of the manager cluster VIP, use the API call:
     POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER
 
 

    Additional Information

    Reference Doc: Replace Certificates through API

    Powered by Wolken Software