The system creates certificates required for communication between NSX Federation appliances as well as for external communication.

By default, the Global Manager uses self-signed certificates for communicating with internal components and registered Local Managers, as well as for authentication for NSX Manager UI or APIs.

You can view the external (UI/API) and inter-site certificates in NSX Manager. The internal certificates are not viewable or editable.

Certificates for Global Manager and Local Managers

After you add a Local Manager into the Global Manager, all certificates that authenticate the Local Manager for external and internal communication are copied into the Global Manager and trust is established between the two systems. These certificates are also copied into each of the sites registered with the Global Manager.

See the following table for a list of all the certificates created for each appliance using NSX Federation, and the certificates these appliances exchange with each other:

Table 1. Certificates for the Global Manager and Local Managers
Naming Convention in the Global Manager or Local Manager Purpose Replaceable? Default Validity
The following are certificates specific to each NSX Federation appliance.
APH-AR certificate
  • For Global Manager and each Local Manager.
  • Used for inter-site communication using the AR channel (Async-Replicator channel).
No 10 years
GlobalManager
  • For the Global Manager.
  • PI certificate for the Global Manager.
Yes. See Replace Certificates. 825 days
mp-cluster certificate
  • For the Global Manager and each Local Manager.
  • Used for UI/API communication with the VIP of the Global Manager or Local Manager cluster.
tomcat certificate
  • For the Global Manager and each Local Manager.
  • Used for UI/API communication with individual Global Manager and Local Manager nodes for each of the locations added to the Global Manager.
LocalManager
  • For Local Manager.
  • PI certificate for this specific Local Manager.
The following are certificates exchanged between NSX Federation appliances.
Naming Convention in the Global Manager or Local Manager Purpose Replaceable? Default Validity
Hashed code, for example, 1729f966-67b7-4c17-bdf5-325affb79f4f
  • Exchanged between all the Local Managers registered with the Global Manager.
  • PI certificate for the Global Manager exchanged with Local Managers.
  • PI certificates for each of the locations exchanged with all registered Location Managers.

Not Applicable

Site certificate CN=<>,O
  • Exchanged between all NSX Federation appliances: all registered Local Managers and the Global Manager.
  • All types of certificates.

Principal Identity (PI) Users for NSX Federation

The following PI users with corresponding roles are created after you add a Local Manager to the Global Manager:
Table 2. Principal Identity (PI) Users Created for NSX Federation
NSX Federation Appliance PI Username PI User Role
Global Manager LocalManagerIdentity

One for each Local Manager registered with this Global Manager.

auditor
Local Manager GlobalManagerIdentity Enterprise Admin
LocalManagerIdentity
One for each Local Manager registered with the same Global Manager. Use the following API to get a list of all the Local Manager PI users because they are not visible in the UI:
GET https://<local-mgr>/api/v1/trust-management/principal-identities
auditor