How to Renew or Replace the Local Manager Certificate from selfsigned certificate to a CA Certificate
search cancel

How to Renew or Replace the Local Manager Certificate from selfsigned certificate to a CA Certificate

book

Article ID: 424662

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

This document defines the step-by-step procedure to renew or replace NSX Local Manager certificates from Selfsigned certificate to a CA certificate.

  •  It guides the transition from a default self-signed certificate to a secure, CA-signed certificate.

 

 

Environment

VMware NSX

Cause

  •  This process ensures the environment meets organizational standards that require CA certificates.

  •  These steps are also used to resolve replace the expired Local Manager certificates.

Resolution

There are two primary methods for renewing the certificate based on how the Certificate Signing Request (CSR) is generated.

1. Generating a CSR from the NSX UI

  1. Log in to the NSX Manager with admin privileges.
  2. Navigate to System > Certificates.
  3. Click the CSRs tab.
  4. Click Generate CSR and select Generate CSR  from the dropdown menu.
  5. Complete the certificate details based on the table below:

Option

Description

Common Name

Enter the Fully Qualified Domain Name (FQDN) of your server (e.g., www.example.com).

Name

Assign a unique name to identify your certificate.

Organization Unit

Enter the department handling the certificate (e.g., IT Department).

Organization Name

Enter your legal organization name (e.g., VMware Inc.).

Locality

Enter the city where your organization is located (e.g., Palo Alto).

State

Enter the state where your organization is located (e.g., California).

Country/Region

Select your organization's location (e.g., United States (US)).

Algorithm

RSA: Used for digital signatures and encryption.

ECDSA: Used for EAL4+ compliance; more efficient than RSA.

Key Size

RSA: Default is 2048 (3072 and 4096 also supported).

ECDSA: Default is 256 bits (384 and 521 bits also supported).

Description

Enter specific details to help identify this certificate at a later date.
  1. Click Save.
  2. Download the generated CSR PEM from the NSX Manager.
  3. Submit the CSR to your Certificate Authority (CA) for signing.
  4. Receive the signed certificate from the CA.
  5. Import the signed certificate back into NSX Manager:
    • Navigate to System > Certificates.
    • Click the CSRs tab.
    • Find your CSR, click the three dots (...), and select Import Certificate for CSR.
    • Browse to the signed certificate file on your computer and upload it.
      Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'
    • Set the Service Certificate toggle to No to use this certificate for NSX Manager appliance nodes.
    • Click Save.
  6. NSX will automatically associate the imported certificate with the stored private key. The signed certificate will now appear in the Certificates tab.

2. Genearting a CSR from a 3rd Party : 

  1. Log in to the NSX Manager (https://<nsx-manager-ip-address>) with admin privileges.
  2. Navigate to System > Certificates.
  3. Select Import > Import CA Certificate and enter the following details:

Option

Description

Name

Assign a name to the CA certificate.

Certificate Contents

Browse to the CA certificate file on your computer and add the file.
Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'

Description

Enter a summary of what is included in this CA certificate.

Service Certificate

Set to NO for use with the Local Manager.
  1. The CA certificate will now appear in the Certificates tab.

Local Manager Certificate Replacement steps:

Once the certificate is imported, you must apply it to the Local Manager service.

  1. Log in to the NSX Manager (https://<nsx-manager-ip-address>) with admin privileges.
  2. Navigate to System > Certificates.
  3. Click the three dots (...) next to the new CA certificate and select Copy ID to clipboard to collect the Certificate ID.
  4. To replace the Local Manager certificate, use the following API call:

POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=LOCAL_MANAGER

Example:

POST https://<local-mgr>/api/v1/trust-management/certificates/XXXXXXXXXXXXXXXXXXX?action=apply_certificate&service_type=LOCAL_MANAGER

 Cleanup of old certifcate :

  1. Once the certificate is successfully replaced, the old expired certificate will be labeled as "Where used 0" and can be safely deleted.

Additional Information

Reference Links
Import a CA Certificate: Broadcom Tech Docs - Import a CA Certificate

Replace Certificates: Broadcom Tech Docs - Replace Certificates through API

Powered by Wolken Software