First of all, we need a CSR request. This can be created with OPENSSL. It is important that the key is also exported. You can either create 4 individual certificates (VIP and the three manager nodes) or a SAN certificate with all DNS and IP names of the manager nodes. The easiest way is to carry out the request on a manager node. To do this, I create an openssl config file with VIM.
The CSR is generated with the following command:
openssl req -new -newkey rsa:4096 -nodes -keyout nsxm0001.key -out nsxm0001.csr -config opnssl.cnf
Two files are generated, a private key file and the actual request, which must be submitted to the CA.
Attention:
The CA must issue the certificate with the extension basicConstraints = cA:FALSE
, otherwise the certificate cannot be used. With a Windows CA, this must be explicitly permitted in the template. If the extension is missing, the certificate validation will fail with an error message that the certificate key does not match the certificate.
The certificate can be imported in the NSX Manager under System > Certificates > Import. Here it must be ensured that the service certificate slider is set to NO. The complete certificate chain is also required. The certificate chain must be in the industry standard order of ‘certificate – intermediate – root.
After the import, the certificate can be validated using an API request.
API calls may vary depending on the NSX-T versions, in my example NSX version 4.1.2.3 is used.
GET https://<nsx-mgr>/api/v1/trust- management/certificates/<cert-id>?action=validate
An API request must be executed for each manager node and for the VIP. This requires the certificate ID and the manager node ID. Both can be copied from the WebGUI or requested via API Get Requests.
The following API call is used to exchange the Manager Node certificate:
POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=API&node_id=<node- id>
The following API call is used to exchange the cluster VIP certificate:
POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=MGMT_CLUSTER
After replacing the certificates, you should close all browser windows and log in to the NSX Manager again. The certificate should now have been successfully replaced.