After you added the new NSX Manager node to the cluster and validated the cluster status, you must add an SSL certificate to the new node.
Procedure
- In a web browser, log in to the new NSX Manager node.
https://<node_FQDN>/login.jsp?local=true
- Generate a certificate signing request (CSR) for the new NSX Manager node.
- Click System > Certificates > CSRs > Generate CSR and select Generate CSR.
- Enter the CSR information and click Save.
Option Description Common Name Enter the fully qualified domain name (FQDN) of the node.
For example, nsx-wld-3.vrack.vsphere.local.
Name Assign a name for the certificate. For example, nsx-wld-3.vrack.vsphere.local.
Organization Unit Enter the department in your organization that is handling this certificate.
For example, VMware Engineering.
Organization Name Enter your organization name with applicable suffixes.
For example, VMware.
Locality Add the city in which your organization is located.
For example, Palo Alto.
State Add the state in which your organization is located.
For example, California.
Country Add your organization location.
For example, United States (US).
Message Algorithm Set the encryption algorithm for your certificate.
For example, RSA.Key Size Set the key bits size of the encryption algorithm.
For example, 2048.Description Enter specific details to help you identify this certificate at a later date. - Click Save.
- Select the CSR then click Actions and select Download CSR PEM.
- Rename the downloaded file to <node_FQDN>.csr and upload it to the root directory on the management domain vCenter Server.
- SSH to the management domain vCenter Server as the root user and run the following command:.
bash shell
- Run the following command:
openssl x509 -req -extfile <(printf "subjectKeyIdentifier =hash authorityKeyIdentifier=keyid,issuer keyUsage = nonRepudiation, digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth basicConstraints = CA:false subjectAltName = DNS:<node_FQDN>" ) \ -days 365 -in <node_FQDN>.csr -CA \ /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem \ -CAcreateserial -out <node_FQDN>.crt -sha256
The expected output should look like the following example:Signature ok subject=/L=PA/ST=CA/C=US/OU=VMware Engineering/O=VMware/CN=nsx-wld-3.vrack.vsphere.local Getting CA Private Key
- Add the vCenter Server CA root key to the certificate.
cat /var/lib/vmware/vmca/root.cer >> <node_FQDN>.crt
- Download the <node_FQDN>.crt file from the vCenter Server root directory.
- Import <node_FQDN>.crt to the NSX Manager node.
- In a web browser, log in to the new NSX Manager node.
https://<node_FQDN>/login.jsp?local=true
- Click System > Certificates > CSRs.
- Select the CSR for the new node, click Actions, and select Import Certificate for CSR.
- Browse to and select the <node_FQDN>.crt file you downloaded in step 8.
- Toggle the Service Certificate button to No.
- Click Save.
- In a web browser, log in to the new NSX Manager node.
- Apply the certificate to the NSX Manager node.
- Click System > Certificates > Certificates.
- Locate and copy the ID of the certificate for the new node.
- From a system that has the curl command and has access to the NSX Manager nodes (for example, vCenter Server or SDDC Manager) and run the following command to install the CA-signed certificate on the new NSX Manager node.
curl -H 'Accept: application/json' -H 'Content-Type: application/json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://<node_FQDN>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate_id>'
Replace <nsx_admin_password> with the admin password for the NSX Manager node. Replace <certificate_id> with the certificate ID from step 10b.
- In the SDDC Manager UI, replace the NSX Manager certificates with trusted CA-signed certificates from a Certificate Authority (CA). See Managing Certificates in VMware Cloud Foundation.
What to do next
If assigning the certificate fails because the certificate revocation list (CRL) verification fails, see https://kb.vmware.com/kb/78794. If you deactivate the CRL checking to assign the certificate, after assigning the certificate, you must re-enable the CRL checking.