NOTE: The script needs to be run on the vCenter Sever (Compute Manager) registered to the VMware NSX Managers, confirm under: System > Fabric > Compute Managers.
The script will only replace the Manager Node Certificate and Cluster (VIP) certificate, it is not intended to be used for any other certificates.
The script is available to download from this KB article.
Script Usage:
To see the syntax and commands available, run python nsxVmcaCert.py
nsxtVmcaCert.py
. You will need to rename the file as you see it listed in this KB article. Copy it to the vCenter Server connected to the VMware NSX environment. If you encounter trouble copying the script to vCenter, the instructions in Connecting to vCenter Server Virtual Appliance using WinSCP fails with the error: Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B will help enable SCP for root on the vCenter Server, allowing you to copy the script to the vCenter Server.# python nsxtVmcaCert.py -f <nsx_manager_fqdn> -m
# python nsxtVmcaCert.py -f <nsxt_vip_fqdn> -v
The script needs to be re-run for each VMware NSX Manager and VIP that we need to replace the certificates on.
For example:
If there are three VMware NSX Manager nodes VIP configured, the script needs to be run four times:
python nsxtVmcaCert.py -f <nsx-manager-node1-fqdn> -m
python nsxtVmcaCert.py -f
<nsx-manager-node2-fqdn>
-m
python nsxtVmcaCert.py -f
<nsx-manager-node3-fqdn>
-m
python nsxtVmcaCert.py -f <cluster-vip-fqdn-address> -v
NOTE: The FQDN for the NSX manager can be verified with the below API call, and the same FQDN value must be passed to run the python script for replacing the certificates:GET https://<NSX-Manager-IP>/api/v1/cluster
HASH Info:
The hashes listed are only valid for the current files.
Date hash added 12/11/2024
If the file is updated a new hash will need to be added
The current version is nsxtVmcaCert.py
MD5SUM: efb626dc0bc58c66fc6d331a9e071b2c
SHA256SUM: 02cf092d4cd370ea5a2d0b5af0cec922299c6e78a742da1ea0386c7344470195
If the NSX Manager is configured with a (short) hostname and an FQDN is expected, the script will fail with: Failed to get node id.
The NSX Manager hostname can be updated with the FQDN by running the set hostname <fqdn>
via CLI (on the affected NSX Manager).