Introduction
In our NSX(T) environment I’ve had to replace certificates loads of times. This is actually quite easy if you know how (which I will explain in this post). However, this time after replacing all the NSX Manager certificates (Cluster and Nodes) we had one expired certificate left, the one for the ‘local-manager’ service. In this blogpost I will explain how to replace this certificate and where it is used.
Guide
Replacing certificates in the NSX(T) Manager is a little bit more work compared against the NSX-V Manager How to renew your NSX(-V) Manager certificate. Not everything is fully integrated into the UI (yet) so we are going to use a bit of NSX RESTAPI to complete all of the steps.
First you will want to uploaded all of your certificates. That would be the ones for the NSX Manager Cluster FQDN and all of the participating NSX Manager Nodes FQDN’s. Just login to your NSX Manager and go to System -> Certificates -> Import. In this part you can import the certificate, private key and enter the passphrase. Please note to not import the certificate as a “Service Certificate”. Service Certificates cannot be used on the NSX Manager (Cluster) because they are used for you guessed it, services such as VPN, Loadbalancer and TLS Inspection.
Once certificates are imported you can find them in the list such as below:
You can see Valid certificates and Expired certificates. Once the certificates are uploaded you can check if they are valid with the following RESTAPI snippet:
https://nsxt-fqdn/api/v1/trust-management/certificates/<<certificate_id>>?action=validate
The <<certificate_id>> is something you can find in the previously mentioned view. Just unfold a certificate and the first line is the ID for the certificate you need to use. Once executed in your favorite RESTAPI client (mine is Postman) you should receive a Status OK (200 OK).
Once this is true you can execute the following commands to replace the certificate on the NSX Manager Cluster and Nodes.
NSX(-T) Manager Cluster: POST https://nsxt-fqdn/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<<certificate_id>> NSX(-T) Manager Nodes: POST https://nsxtnode-fqdn/api/v1/node/services/http?action=apply_certificate&certificate_id=<<certificate_id>>
So far so good, but I found out that we also had a “Local Manager” certificate. After some digging I found that this certificate is used for Federation in NSX. This certificate seems to be present eventhough we don’t use Federation in this environment. The certificate is used as Principle Identity (PI) for the Local and Global Managers. The entire NSX environment uses a single PI certificate. This certificate can also be replaced but uses a different API call. That would be the one below:
https://nsxt-fqdn/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
For this API call to work use the following Header: Content-Type application/json and in the body select ‘json’ and fill the following information:
{ “cert_id”: “<id>”, “service_type”: “LOCAL_MANAGER” }
Use the certificate_id from the certificate you want to use for this service and execute the POST call. You should receive the 200 OK. Once done check your local NSX Manager environment and the certificate should have a 0 in the “Where Used” column. At this point it is save to delete the old expired Local-Manager certicate.
There you have it, a quick guide on how to replace NSX(T) Manager certificates. I hope this helped.
0 Comments