Manually replace expired local manager certificate with self signed certificate & cleanup the expired cerificate
search cancel

Manually replace expired local manager certificate with self signed certificate & cleanup the expired cerificate

book

Article ID: 426392

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The local manager certificate has expired and requires replacement with a self-signed certificate manually.
  • This article details the procedure for manually generating a new self-signed certificate and applying it to the local manager & cleanup of the unused certificate.

Environment

VMware NSX

Cause

The existing local manager certificate has reached the end of its validity period.

Resolution

Steps to Generate a Self-Signed Certificate

  1. Log in to NSX Manager:

    • Access the NSX Manager UI using admin credentials.

  2. Navigate to Certificates:

    • Go to System > Settings > Certificates.

  3. Initiate Certificate Generation:

    • Click on the GENERATE dropdown menu.

    • Select Self Signed Certificate.

  4. Fill in Certificate Details:

    • Fill in the below details:

    • Service Certificate: Set this to No (Disabled) as its going to be used for local manager certificate.

  2. Generate:

    • Click Add (or Generate) to create the certificate.

Next Steps: Applying the Certificate to the NSX Manager

Simply generating the certificate does not make the NSX Manager use it. You must apply it via an API call.

  1. Get the Certificate ID:

    • In the Certificates list, find the certificate you just created.

    • Copy its ID (a long UUID string).

  2. Replace the expired Certificate (API):

Method: POST
https://<local-mgr>/api/v1/trust-management/certificates/<newcertid>?action=apply_certificate&service_type=LOCAL_MANAGER

Verification

Once the API call to apply the certificate is successful and the NSX Manager services have restarted, proceed with these checks in the UI:

  1. Refresh the Certificates Page:

    • Navigate back to System > Settings > Certificates.

    • Refresh the browser window.

  2. Verify the New Certificate:

    • Locate the new self-signed certificate you just created.

    • Check the Where Used (or "Used By") column.

    • Confirmation: It must show a count of 1. This confirms the NSX Manager node is now referencing this certificate.

  3. Verify the Old/Expired Certificate:

    • Locate the old or expired certificate.

    • Check the Where Used column.

    • Confirmation: It should now show a count of 0. This confirms it has been successfully disassociated.

Removal of Expired Certificate

You can only delete a certificate if it is not in use.

  1. Select the Old Certificate:

    • Ensure the Where Used column for the old/expired certificate displays 0.

  2. Delete:

    • Click the three dots (...) (ellipsis menu) next to the old certificate.

    • Select Delete.

    • Confirm the deletion in the prompt.

Additional Information

  1. Refer to the broadcom documentation for replacing certificates through api.
  2. See the scripted method to replace self signed certificate for automation steps.
  3. Replacing local manager certificate in a non federated VMware NSX-T environment
Powered by Wolken Software