Sometimes you come across a couple of older environments that haven’t received the amount of love you should give them. I came across one NSX-V environment that had an expired certificate on the NSX Manager. Renewing a NSX Manager certificate is one of the easiest things to do on a NSX Manager. So here goes.
- Login to your NSX Manager interface and click on Manage Appliance Settings.
- Browse to Settings -> SSL Certificates
- Now you can choose a couple of items. You can either import a certificate you already made, or you can create a new Certificate Signed Request so that you can request an internal or external CA signed certificate.
- If you choose “Generate Certificate Signing Request” you can fill out the form and for a Self-Signed certificate hit the “Self Sign CSR and apply certificate” checkbox at the bottom.
- If you did not choose the “Generate Certificate Signing Request” checkbox you can now download the .CSR file by clicking “Download CSR“. Good to know for you security experts out there, if you choose “Download CSR” the private key never leaves the NSX Manager appliance.
- Now go to your local CA, or external CA and upload the .CSR. Be aware that if you want to use a local CA you might want to have a look at the following VMware KB where it is explained how you can create a Microsoft Certificate Authority template for SSL certificate creation in vSphere 6.x/7.x. I will not go through this process within this blogpost, the KB is pretty self-explanatory.
- Once you have the certificate you can use the “Upload PKCS#12 Keystore” button to import the certificate. If you have a .cer file you can convert it to a .pem file with the following OpenSSL command (Depending on the NSX-V Manager version):
openssl x509 -inform der -in nsxmanager.cer -out nsxmanager.pem
- Make sure the following order is kept in the .pem file. If you do not do this, the import will fail (trust me on this, I’ve done it :)):
Machine Certificate Intermediary CA certificate Root CA certificate
- Once the import is successful you will see a message that you need to restart the NSX Manager. Go ahead and do this, you can savely restart the NSX Manager since this is the management plane for your NSX for vSphere environment, and not the data plane.
Like I said, replacing the NSX-V Manager certificate is really easy and straightforward!
Bonus: Suppose you create the certificate somewhere else (not on the NSX-V Manager itself through the above procedure) and you want to import the certificate, you will need the private key. So a PKCS#12 format is required. In some versions of NSX-V it is also the only option to import a certificate. To create such a package you can use the following OpenSSL command:
openssl pkcs12 -export -in nsxmanager-cert.pem -inkey privatekey.pem -out nsxmanager.p12
Once that is done, you can also import the “Upload PKCS#12 Keystore” button to import this file and renew your NSX Manager certificates.