You can replace certificates for a manager node or the manager cluster virtual IP (VIP) by making an API call.

After you install NSX-T Data Center, the manager nodes and cluster have self-signed certificates. It is recommended that you replace the self-signed certificates with a CA-signed certificate and that you use a single common CA-signed certificate with a SAN (Subject Alternative Names) list that matches all the nodes and VIP for the cluster. See Types of Certificates for details on the default self-signed certificates configured by the system.

If you are using Federation, you can replace Global Manager nodes, Global Manager cluster, Local Manager nodes and Local Manager cluster certificates using the following APIs. You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX Federation for details on self-signed certificates auto-configured for Federation.

Prerequisites

  • Verify that a certificate is available in the NSX Manager. See Import a Self-signed or CA-signed Certificate.
  • The server certificate must contain the Basic Constraints extension basicConstraints = cA:FALSE.
  • Verify that the certificate is valid by making the following API call:

    GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Certificates.
  3. In the ID column, click the ID of the certificate you want to use and copy the certificate ID from the pop-up window.
    Make sure that when this certificate was imported, the option Service Certificate was set to No.
  4. To replace the certificate of a manager node, use the POST /api/v1/node/services/http?action=apply_certificate API call. For example,
    POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=e61c7537-3090-4149-b2b6-19915c20504f

    Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'

    For more information about the API, see the NSX-T Data Center API Reference.

  5. To replace the certificate of the manager cluster VIP, use the POST /api/v1/cluster/api-certificate?action=set_cluster_certificate API call. For example,
    POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac

    Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'

    For more information about the API, see the NSX-T Data Center API Reference. This step is not necessary if you did not configure VIP.

  6. (Optional) To replace the Principal Identity certificates for Federation, use the API call: POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation. For example:
    POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation 
    { "cert_id": "<id>", 
    "service_type": "LOCAL_MANAGER" }
  7. (Optional) If you currently have an NSX Intelligence appliance deployed with your NSX Manager cluster, you must update the NSX Manager node IP, certificate, and thumbprint information that is on the NSX Intelligence appliance. See VMware Knowledge Base article https://kb.vmware.com/s/article/78505 for more information.