NSX 4.X Certificate exchange of the NSX Manager

Daniel Krieger
5. April 2024
Reading time: 3 min
NSX 4.X Certificate exchange of the NSX Manager

NSX 4.X Certificate exchange of the NSX Manager Certificate creation

First of all, we need a CSR request. This can be created with OPENSSL. It is important that the key is also exported. You can either create 4 individual certificates (VIP and the three manager nodes) or a SAN certificate with all DNS and IP names of the manager nodes. The easiest way is to carry out the request on a manager node. To do this, I create an openssl config file with VIM.


The CSR is generated with the following command:

openssl req -new -newkey rsa:4096 -nodes -keyout nsxm0001.key -out nsxm0001.csr -config opnssl.cnf

Two files are generated, a private key file and the actual request, which must be submitted to the CA.

The CA must issue the certificate with the extension basicConstraints = cA:FALSE, otherwise the certificate cannot be used. With a Windows CA, this must be explicitly permitted in the template. If the extension is missing, the certificate validation will fail with an error message that the certificate key does not match the certificate.

Import certificate

The certificate can be imported in the NSX Manager under System > Certificates > Import. Here it must be ensured that the service certificate slider is set to NO. The complete certificate chain is also required. The certificate chain must be in the industry standard order of ‘certificate – intermediate – root.

Import Certificate

After the import, the certificate can be validated using an API request.
API calls may vary depending on the NSX-T versions, in my example NSX version is used.

GET https://<nsx-mgr>/api/v1/trust- management/certificates/<cert-id>?action=validate

Exchange of certificates

An API request must be executed for each manager node and for the VIP. This requires the certificate ID and the manager node ID. Both can be copied from the WebGUI or requested via API Get Requests.

The following API call is used to exchange the Manager Node certificate:

POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=API&node_id=<node- id>

The following API call is used to exchange the cluster VIP certificate:

POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=MGMT_CLUSTER

After replacing the certificates, you should close all browser windows and log in to the NSX Manager again. The certificate should now have been successfully replaced.

Further resources: