• From NSX-T federation 3.2.X onwards, the certificate import and generate options are deactivated and greyed out on the Standby Global Manager (GM).
• This requires a failover to the Standby Global Manager to make it the active manager, and then new certificates can be generated.
• However, if failover is not permitted, the following workaround steps can be used to generate and replace the certificates on the Standby GM without a failover.

VMware NSX-T 3.2.x
VMware NSX 4.0.x, 4.1.x

1. Generate the new certificate as required from the Active GM UI, note down the certificate UUID.
   
   Example: Created a new "TEST" certificate from Active GM "uuid" #####--###--###--####"
   
   Active GM:
   
   
   
   
2. Use the GET curl API call to get the details of the certificate from Active GM CLI (via root user).
   
   The API call will result the content of certificate and private Key.
   
   #curl -k -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/<cert-id>?action=get_private"

root@AGM:~# curl -k -X GET -H "Content-Type: application/json" -H 'X-NSX-Username:admin' -H 'X-NSX-Groups:superuser' "http://127.0.0.1:7440/nsxapi/api/v1/trust-management/certificates/#####--###--###--####?action=get_private"
   

   {
"display_name": "TEST-CERT-FROM-ACTIVE",
  "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
  "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
  "key_algo" : "RSA",
  "_protection" : "NOT_PROTECTED"
}

Note: After exporting the generated new certificate, delete the certificate from the Active GM

3. Login to Standby GM via SSH using root user and create a new file in /tmp directory with name 'payload.json' which should contain below content collected in step 2.
   
   {
"display_name": "TEST-CERT-FROM-ACTIVE",
  "pem_encoded" : "-----BEGIN CERTIFICATE-----\n********\n-----END CERTIFICATE-----\n",
  "private_key" : "-----BEGIN RSA PRIVATE KEY-----\n*****\n-----END RSA PRIVATE KEY-----\n",
  "key_algo" : "RSA",
  "_protection" : "NOT_PROTECTED"
}
   
   Note: In the certificate content, do not remove the \n character, copy and paste the same content including \n, collected using the GET API call to import it correctly. Also "display_name":"" field can be added as needed, if its not there.
   
   
4. Then run below POST API call to import the certificate.
   
   Using curl:
   curl -k -H "Content-Type: application/json" -u admin -X POST "https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import" --data @/tmp/payload.json
   
   Using postman client:
   POST https://standbyGM-manager-ip/api/v1/trust-management/certificates?action=import
   
   Put the 'payload.json' content in body field.
   
   
5. The certificate is now visible on the Standby Global Manager UI 

 After the certificate is imported on the Standby GM, Replace the certificate using the replace certificate documentation.

Certificate-Replacement-3.2.x

Certificate-Replacement-4.x

Once the certificate has been replaced, the following API can be used to remove the unused expired/expiring certificate(s):

DELETE https://<standby_gm_ip>/api/v1/trust-management/certificates/<unused_certificate_id_standby_gm>

Curl example:

curl -k -u 'username:password' -H "Content-Type: application/json" -X DELETE 'https://<standby_gm_ip>/api/v1/trust-management/certificates/<unused_certificate_id_standby_gm>'