Replace Expired or Self-signed NSX-T Manager Certificates with VMCA-Signed Certificates
search cancel

Replace Expired or Self-signed NSX-T Manager Certificates with VMCA-Signed Certificates

book

Article ID: 317900

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware NSX Networking

Issue/Introduction

Since the process of generating a CSR, creating a certificate, importing and deploying the certificate via the VMCA involves a lot of manual work, with making REST API calls - the purpose of this document is to automate the entire process with a script. The process that would normally take ~30 minutes, is condensed to a 3 second workflow.

Symptoms:
We have expired certificates or self-signed certificates on the NSX-T Managers and NSX-T VIP.

- Due to the expired certificates - these cannot be replaced by a management interface like the SDDC Manager - they have to replaced directly on the NSX-T Managers.

- Due to self-signed certificates - SDDC Manager does not trust the certificate, and therefore needs to be replaced with a VMCA signed certificate.

Environment

VMware NSX-T

Cause

Expired or Self-Signed certificates on the NSX-T Manager nodes cause alarms and workflow failures across multiple operations, particularly those involving the SDDC Manager.

Resolution

NOTE: The script needs to be run on the vCenter affiliated to the NSX-T Managers

Script Usage:


0. Download the script nsxtVmcaCert.py  and copy it to the vCenter connected to the NSX-T environment.

1. Run the script with the FQDN of the manager node or the VIP, with the appropriate flags, and supply the password for the admin user:

- For NSX-T Manager:

python nsxtVmcaCert.py -f <nsxt_manager_fqdn> -m

 


 

- For NSX-T VIP:

python nsxtVmcaCert.py -f <nsxt_vip_fqdn> -v

 



The script needs to be re-run for each NSX-T Manager and NSX-T VIP that we need to replace the certificates on.

For example:
If we have 3 NSX-T Manager nodes, behind the NSX-T VIP, we need to run the script 4 times:

python nsxtVmcaCert.py -f nsx-mgmt-1.vrack.vsphere.local -m
python nsxtVmcaCert.py -f nsx-mgmt-2.vrack.vsphere.local -m
python nsxtVmcaCert.py -f nsx-mgmt-3.vrack.vsphere.local -m
python nsxtVmcaCert.py -f vip-nsx-mgmt.vrack.vsphere.local -v

 

 

Additional Information

Note: Please update any 2nd Party (such as vROPS, vRLI etc) and 3rd Party products that have integrations with the NSX Managers to update and accept the new certificates.

Attachments

nsxtVmcaCert get_app