After the certificate expires, to continue using the NSX Manager principal identity, you regenerate the certificate and private key and you refresh the principal identity.

If you followed the Prepare the NSX to VMware Aria Operations Integration for Intelligent Operations Management for VMware Cloud Foundation procedure when implementing this validated solution, the NSX Manager principal identity certificate expires in 365 days. You use the contents of the certificate and the key file to refresh the principal identity in NSX Manager.

Note:

Some steps in this procedure require the use of the NSX API. To make this process easier, you use PowerShell cmdlets instead.

Procedure

  1. Log in to SDDC Manager at <sddc_manager_fqdn>:22 as the vcf user by using a Secure Shell (SSH) client.
  2. Switch to the super user.
    su
  3. Generate the certificate and private key.
    openssl req -newkey rsa:2048 -sha256 -x509 -days 365 -subj "/CN=nsx_local_manager_cluster_hostname" -extensions usr_cert -nodes -keyout nsx_local_manager_cluster_hostname.key -out nsx_local_manager_cluster_hostname.cer
    Note:

    You use the nsx_local_manager_cluster_hostname.key and nsx_local_manager_cluster_hostname.cer contents to refresh the principal identity in NSX Manager and refresh the credential in VMware Aria Operations.

  4. Import the new certificate in NSX Manager.
    1. Log in to NSX Manager at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
    2. On the main navigation bar, click System.
    3. In the left pane, navigate to Settings > Certificates.
    4. Click the Certificates tab and, from the Import drop-down menu, select Certificate.

    5. In the Import certificate dialog box, enter a certificate name identical to the service account name and turn off the Service certificate toggle switch.

    6. In the Certificate contents text box, paste the contents of the nsx_local_manager_cluster_hostname.cer certificate file.

    7. In the Private key text box, paste the contents of the nsx_local_manager_cluster_hostname.key file and click Save.

    8. Expand the newly created certificate and make a note of its ID.

  5. Update the principal identity with the new certificate by using PowerShell.

    1. Start PowerShell.

    2. Replace the values in the sample code and run the commands in the PowerShell console.

      $nsxManager = "sfo-m01-vc01.sfo.rainpole.io"
$nsxUser = "admin"
$nsxPass = "VMw@re1!VMw@re1!"

$principalIdentity = "svc-iom-sfo-m01-nsx"
$newCertificateId = "32fc1dd0-fabd-4643-b64e-35b708424538"

    3. Obtain the ID of the existing principal identity by running the command in the PowerShell console.

      $principalId = (Get-NsxtPrincipalIdentity -name $principalIdentity).id

    4. Update the principal identity's certificate by using the imported certificate's ID and the principal identity user ID.

      Set-NsxtPrincipalIdentityCertificate -principalId $principalId -certificateId $newCertificateId

  6. Remove the expired certificate from NSX Manager.

    1. Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
    2. On the main navigation bar, click System.

    3. In the left pane, navigate to Settings > Certificates.

    4. Locate the expired certificate, click the ellipsis and click Delete.

    5. In the Delete dialog box, click Delete.

  7. Repeat this procedure for each VI workload domain in the VMware Cloud Foundation instance.