Replace Expired or Self-signed NSX-T Manager Certificates with VMCA-Signed Certificates
search cancel

Replace Expired or Self-signed NSX-T Manager Certificates with VMCA-Signed Certificates


Article ID: 317900


Updated On:


VMware Cloud Foundation VMware NSX Networking


Since the process of generating a CSR, creating a certificate, importing and deploying the certificate via the VMCA involves a lot of manual work, with making REST API calls - the purpose of this document is to automate the entire process with a script. The process that would normally take ~30 minutes, is condensed to a 3 second workflow.

We have expired certificates or self-signed certificates on the NSX-T Managers and NSX-T VIP.

- Due to the expired certificates - these cannot be replaced by a management interface like the SDDC Manager - they have to replaced directly on the NSX-T Managers.

- Due to self-signed certificates - SDDC Manager does not trust the certificate, and therefore needs to be replaced with a VMCA signed certificate.


VMware NSX-T


Expired or Self-Signed certificates on the NSX-T Manager nodes cause alarms and workflow failures across multiple operations, particularly those involving the SDDC Manager.


NOTE: The script needs to be run on the vCenter affiliated to the NSX-T Managers

Script Usage:

0. Download the script  and copy it to the vCenter connected to the NSX-T environment.

1. Run the script with the FQDN of the manager node or the VIP, with the appropriate flags, and supply the password for the admin user:

- For NSX-T Manager:

python -f <nsxt_manager_fqdn> -m



- For NSX-T VIP:

python -f <nsxt_vip_fqdn> -v


The script needs to be re-run for each NSX-T Manager and NSX-T VIP that we need to replace the certificates on.

For example:
If we have 3 NSX-T Manager nodes, behind the NSX-T VIP, we need to run the script 4 times:

python -f nsx-mgmt-1.vrack.vsphere.local -m
python -f nsx-mgmt-2.vrack.vsphere.local -m
python -f nsx-mgmt-3.vrack.vsphere.local -m
python -f vip-nsx-mgmt.vrack.vsphere.local -v



Additional Information

Note: Please update any 2nd Party (such as vROPS, vRLI etc) and 3rd Party products that have integrations with the NSX Managers to update and accept the new certificates.


nsxtVmcaCert get_app