You can replace the certificate for a manager node or the manager cluster virtual IP (VIP) by making an API call.
After you install NSX-T Data Center, the manager nodes and cluster have self-signed certificates. To improve security, it is highly recommended that you replace the self-signed certificates with CA-signed certificates and that you use a different certificate for each node.
In release 2.4, replacing an existing certificate with a CA-signed certificate might fail. This issue is fixed in release 2.4.1.
Verify that a certificate is available in the NSX Manager. See Import a Certificate.
- From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Select .
- In the ID column, click the ID of the certificate you want to use and copy the certificate ID from the pop-up window.
Make sure that when this certificate was imported, the option Service Certificate was set to No.
- To replace the certificate of a manager node, use the POST /api/v1/node/services/http?action=apply_certificate API call. For example,
For more information, see the NSX-T Data Center API Reference.
- To replace the certificate of the manager cluster VIP, use the POST /api/v1/cluster/api-certificate?action=set_cluster_certificate API call. For example,
For more information, see the NSX-T Data Center API Reference. This step is not necessary if you did not configure VIP.