NSX 4.X Certificate exchange of the NSX Manager
Exchange your NSX Manager certificates
439 Words Words // ReadTime 1 Minute, 59 Seconds
2024-04-06 00:22 +0200
NSX 4.X Certificate exchange of the NSX Manager
Certificate creation
First of all, we need a CSR request. This can be created with OPENSSL. It is important that the key is also exported. You can either create 4 individual certificates (VIP and the three manager nodes) or a SAN certificate with all DNS and IP names of the manager nodes. The easiest way is to carry out the request on a manager node. To do this, I create an openssl config file with VIM.
[req]
default_bits = 4096
default_md = sha256
days = 365
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = RLP
L = NW
O = Land RLP
OU = sdnwarrior
CN = nsxm0001.lab.home
emailAddress = mail@lab.home
[v3_req]
subjectAltName = @sans
[sans]
DNS.1 = nsxm0001.lab.home
DNS.2 = nsxm0002.lab.home
DNS.3 = nsxm0003.lab.home
DNS.4 = nsxm0004.lab.home
IP.1 = 192.168.12.110
IP.2 = 192.168.12.111
IP.3 = 192.168.12.112
IP.4 = 192.168.12.113
The CSR is generated with the following command:
openssl req -new -newkey rsa:4096 -nodes -keyout nsxm0001.key -out nsxm0001.csr -config opnssl.cnf
Two files are generated, a private key file and the actual request, which must be submitted to the CA.
Import certificate
The certificate can be imported in the NSX Manager under System > Certificates > Import. Here it must be ensured that the service certificate slider is set to NO. The complete certificate chain is also required. The certificate chain must be in the industry standard order of ‘certificate – intermediate – root.
Import NSX Cert
After the import, the certificate can be validated using an API request. API calls may vary depending on the NSX-T versions, in my example NSX version 4.1.2.3 is used.
GET https://<nsx-mgr>/api/v1/trust- management/certificates/<cert-id>?action=validate
Exchange of certificates
An API request must be executed for each manager node and for the VIP. This requires the certificate ID and the manager node ID. Both can be copied from the WebGUI or requested via API Get Requests.
The following API call is used to exchange the Manager Node certificate:
POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=API&node_id=<node- id>
The following API call is used to exchange the cluster VIP certificate:
POST /api/v1/trust-management/certificates/<cert- id>?action=apply_certificate&service_type=MGMT_CLUSTER
After replacing the certificates, you should close all browser windows and log in to the NSX Manager again. The certificate should now have been successfully replaced.