You can replace the certificate for a manager node or the manager cluster virtual IP (VIP) by making an API call.

After you install NSX-T Data Center, the manager nodes and cluster have self-signed certificates. To improve security, it is highly recommended that you replace the self-signed certificates with CA-signed certificates and that you use a different certificate for each node.

In release 2.4, replacing an existing certificate with a CA-signed certificate might fail. This issue is fixed in release 2.4.1.

Prerequisites

Verify that a certificate is available in the NSX Manager. See Import a Certificate.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Certificates.
  3. In the ID column, click the ID of the certificate you want to use and copy the certificate ID from the pop-up window.
    Make sure that when this certificate was imported, the option Service Certificate was set to No.
  4. To replace the certificate of a manager node, use the POST /api/v1/node/services/http?action=apply_certificate API call. For example,
    POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=e61c7537-3090-4149-b2b6-19915c20504f

    For more information, see the NSX-T Data Center API Reference.

  5. To replace the certificate of the manager cluster VIP, use the POST /api/v1/cluster/api-certificate?action=set_cluster_certificate API call. For example,
    POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac

    For more information, see the NSX-T Data Center API Reference. This step is not necessary if you did not configure VIP.