Renew Default (Self-Signed) Certificates on NSX Advanced Load Balancer

The default certificate on NSX Advanced Load Balancer is self-signed. This section explains how to replace the default certificate when the certificate is expired or is about to expire. The following steps can also be used to replace the self-signed certificate with a third-party signed certificate.

Prerequisites

OpenSSL 1.1.x or later.

Configure using NSX Advanced Load Balancer UI

Navigate to Templates > Security > SSL/TLS Certificates and click the Export icon (right) of System-Default-Cert entry.

Copy data from the Key and Certificate fields to two new files using the COPY TO CLIPBOARD option. Name the new files as system-default.key and system-default.cer, respectively.

Configure using OpenSSL

Run the following command in OpenSSL to check the expiration date of the certificate.
```
openssl x509 -in system-default.cer -noout -enddate
```

Run the following command to generate a new CSR with the system-default.key.
```
openssl req -new -key system-default.key -out system-default.csr
```

Run the following command to generate a new certificate with the new expiration date. In this example, the new certificate is named as system-default2.cer.
```
openssl x509 -req -days 365 -in system-default.csr -signkey system-default.key -out system-default2.cer
```

Verify the expiration date on the new certificate (system-default2.cer).
```
openssl x509 -in system-default2.cer -noout -enddate
```

Configure using NSX Advanced Load Balancer CLI and UI

Copy the system-default2.cer and the system-default.key to the Controller.
Optional Step: Before performing the next steps, you can deactivate any virtual services that are configured to use the System-Default-Cert.
Log in to the CLI, and execute the following command to perform the changes for the default certificate on NSX Advanced Load Balancer (System-Default-Cert).
```
[admin:cntrl1]: > configure sslkeyandcertificate System-Default-Cert
```

Execute the certificate command and click Enter. Run certificate file <path to system-default2.cer>/system-default2.cer. Enter the save command to save the changes.

[admin-cntrl1]: sslkeyandcertificate> certificate
[admin-cntrl1]: sslkeyandcertificate:certificate> certificate file:<path to system-default2.cer>/system-default2.cer
[admin-cntrl1]: sslkeyandcertificate> save

Enter the key file <path to system-default.key>/system-default.key. Enter the save command.

[admin-cntrl1]: sslkeyandcertificate> key file:<path to system-default.key>/system-default.key
[admin-cntrl1]: sslkeyandcertificate> save

Enable the virtual services if they were deactivated before the changes (optional).
Log in to the UI, navigate to Templates > Security > SSL/ TLS Certificates and check the expiry date for the renewed certificate.