After the implementation of the Advanced Load Balancing for VMware Cloud Foundation validated solution, consider replacing the portal certificate of the NSX Advanced Load Balancer i.e., the Controller portal certificate. It is recommended to rotate the Controller cluster Portal Certificate and the Controller cluster Secure Channel Certificate every 90 days at a minimum.

Caution:

As of VCF version 5.2, this functionality has been natively implemented as part of the SDDC Manager workflows. Please refer to Managing Avi Load Balancer in VMware Cloud Foundation for more information.

Note:

  • Steps to sign a CSR by a Trusted CA are not covered in this document.

  • It is required to upload the complete certificate bundle after the CSR is signed by the trusted CA.

  • Certificate rotatation on NSX or vCenter does not impact NSX Advanced Load Balancer.

Prerequisites

Deploy the NSX Advanced Load Balancer on the Advanced Load Balancing for VMware Cloud Foundation.

The security of the environment depends on the validity and trust of the management components certificates. As a best practice, you replace certificates in the following cases:

  1. Before certificates expire

  2. When a certificate is compromised

  3. When the attributes related to a certificate change, for instance, the host name or the organization name

The certificate replacement for the NSX Advanced Load Balancer consists of the following phases:

  1. Generate a Certificate Signing Request (CSR) for the NSX Advanced Load Balancer portal certificate from the Controller.

  2. Provide the generated CSR to the CA and request to sign the CSR.

  3. Update the CSR on the Controller with the signed certificate.

  4. Update the system configuration on the Controller with the updated certificate.

Procedure

  1. Rotate the Controller cluster portal certificate

    1. In a web browser, log in to the Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    2. Navigate to Templates > Security > SSL/TLS Certificates and click on the Pencil Icon to edit the ‘sfo-m01-avic01-portal-certificate’ Controller Certificate object.

    3. Select Copy to clipboard in the Certificate Signing Request that was previously generated.

    4. Take the copied CSR and get it signed from a trusted CA. This will generate a new signed certificate bundle.

    5. Navigate to Templates > Security > SSL/TLS Certificates and click the Pencil icon to edit the sfo-m01-avic01-portal-certificate Controller certificate object.

    6. Click on Paste text and paste the newly generated signed certificate bundle.

    7. Click on SAVE.

    8. Refresh the browser to re-negotiate TLS with the Controller cluster portal. The new signed Certificate should be presented by the Controller cluster portal.

  2. Rotate the Controller cluster secure Cchannel certificate

    1. Note:

      It is required to upload the complete certificate bundle on the Controller for the secure channel certificate.

    2. In a web browser, log in to the Controller cluster VIP by using https://sfo-m01-avic01.sfo.rainpole.io/.

    3. Navigate to Templates > Security > SSL/TLS Certificates and click the Pencil icon to edit the sfo-m01-avic01-secure-channel-certificate Controller certificate object.

    4. Select Copy to clipboard in the Certificate Signing Request that was previously generated.

    5. Take the copied CSR and get it signed from a trusted CA. This will generate a new signed Certificate bundle.

    6. Navigate to Templates > Security > SSL/TLS Certificates and click the Pencil icon to edit the ‘sfo-m01-avic01-secure-channel-certificate’ Controller certificate object.

    7. Click on Paste text and paste the newly generated signed certificate bundle.

    8. Click on SAVE.