After you added the new NSX Manager node to the cluster and validated the cluster status, you must add an SSL certificate to the new node.

In the following steps, replace <node_FQDN> with the FQDN of the new NSX Manager node.

Procedure

  1. In a web browser, log in to the new NSX Manager node.
    https://<node_FQDN>/login.jsp?local=true
  2. Generate a certificate signing request (CSR) for the new NSX Manager node.
    1. Click System > Certificates > CSRs > Generate CSR and select Generate CSR.
    2. Enter the CSR information and click Save.
      Option Description
      Common Name

      Enter the fully qualified domain name (FQDN) of the node.

      For example, nsx-wld-3.vrack.vsphere.local.

      Name Assign a name for the certificate.

      For example, nsx-wld-3.vrack.vsphere.local.

      Organization Unit

      Enter the department in your organization that is handling this certificate.

      For example, VMware Engineering.

      Organization Name

      Enter your organization name with applicable suffixes.

      For example, VMware.

      Locality

      Add the city in which your organization is located.

      For example, Palo Alto.

      State

      Add the state in which your organization is located.

      For example, California.

      Country

      Add your organization location.

      For example, United States (US).

      Message Algorithm

      Set the encryption algorithm for your certificate.

      For example, RSA.
      Key Size

      Set the key bits size of the encryption algorithm.

      For example, 2048.
      Description Enter specific details to help you identify this certificate at a later date.
    3. Click Save.
  3. Select the CSR then click Actions and select Download CSR PEM.
  4. Rename the downloaded file to <node_FQDN>.csr and upload it to the root directory on the management domain vCenter Server.
  5. SSH to the management domain vCenter Server as the root user and run the following command:.
    bash shell
  6. Run the following command:
    openssl x509 -req -extfile  <(printf "subjectKeyIdentifier = hash
             nauthorityKeyIdentifier=keyid,issuer
             nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment 
             nextendedKeyUsage=serverAuth,clientAuth 
             nbasicConstraints = CA:false 
             nsubjectAltName = DNS:<node_FQDN>" )  
             -days 365 -in <node_FQDN>.csr -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem 
             -CAcreateserial -out <node_FQDN>.crt -sha256
    The expected output should look like the following example:
    Signature ok
    subject=/L=PA/ST=CA/C=US/OU=VMware Engineering/O=VMware/CN=nsx-wld-3.vrack.vsphere.local
    Getting CA Private Key
  7. Add the vCenter Server CA root key to the certificate.
    cat /var/lib/vmware/vmca/root.cer >> <node_FQDN>.crt
  8. Download the <node_FQDN>.crt file from the vCenter Server root directory.
  9. Import <node_FQDN>.crt to the NSX Manager node.
    1. In a web browser, log in to the new NSX Manager node.
      https://<node_FQDN>/login.jsp?local=true
    2. Click System > Certificates > CSRs.
    3. Select the CSR for the new node, click Actions, and select Import Certificate for CSR.
    4. Browse to and select the <node_FQDN>.crt file you downloaded in step 8.
  10. Apply the certificate to the NSX Manager node.
    1. Click System > Certificates > Certificates.
    2. Locate and copy the ID of the certificate for the new node.
    3. From a system that has the curl command and has access to the NSX Manager nodes (for example, vCenter Server or SDDC Manager) and run the following command to install the CA-signed certificate on the new NSX Manager node.
      curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<node_FQDN>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate_id>'
      Replace <nsx_admin_password> with the admin password for the NSX Manager node. Replace <certificate_id> with the certificate ID from step 10b.
  11. In the SDDC Manager UI, replace the NSX Manager certificates with trusted CA-signed certificates from a Certificate Authority (CA). See Certificate Management.

What to do next

Important:

If assigning the certificate fails because the certificate revocation list (CRL) verification fails, see https://kb.vmware.com/kb/78794. If you deactivate the CRL checking to assign the certificate, after assigning the certificate, you must re-enable the CRL checking.