You can replace some certificates for a manager node or the manager cluster virtual IP (VIP) by making an API call. You can run only one certificate replacement operation at a time.

After you install NSX-T Data Center, the manager nodes and cluster have self-signed certificates. It is recommended that you replace the self-signed certificates with a CA-signed certificate and that you use a single common CA-signed certificate with a SAN (Subject Alternative Names) list that matches all the nodes and VIP for the cluster. See Types of Certificates for details on the default self-signed certificates configured by the system.

If you are using NSX Federation, you can replace Global Manager nodes, Global Manager cluster, Local Manager nodes and Local Manager cluster certificates using the following APIs. You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX Federation for details on self-signed certificates auto-configured for NSX Federation.

Prerequisites

  • Verify that a certificate is available in the NSX Manager. See Import a Self-signed or CA-signed Certificate.
  • The server certificate must contain the Basic Constraints extension basicConstraints = cA:FALSE.
  • Verify that the certificate is valid by making the following API call:
    GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate
    Note: Do not use automated scripts to replace multiple certificates at the same time. Errors might occur.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Certificates.
  3. In the ID column, click the ID of the certificate you want to use and copy the certificate ID from the pop-up window.
    Make sure that when this certificate was imported, the option Service Certificate was set to No.
  4. To replace the certificate of a manager node, use the POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id API call.
    For example: POST https://172.10.221.11/api/v1/trust-management/certificates/f096cc4b-2120-4762-b25d-fbcd2439ae80?action=apply_certificate&service_type=API&node_id=2f040f42-64a4-68a8-2648-0f8266a8d2e7

    Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'

    For more information about the API, see the NSX-T Data Center Command-Line Interface Reference.

  5. To replace the certificate of the manager cluster VIP, use the POST /api/v1/cluster/api-certificate?action=set_cluster_certificate API call.
    For example, POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac

    Note: The certificate chain must be in the industry standard order of 'certificate - intermediate - root.'

    For more information about the API, see the NSX-T Data Center API Guide. This step is not necessary if you did not configure VIP.

  6. (Optional) To replace the Local Manager and Global Manager Principal Identity certificates for NSX Federation, use the API call. The entire NSX Manager cluster (Local Manager and Global Manager) requires a single PI certificate.
    POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
    For example, for LM: 
    POST https://<nsx-local-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
{
    "cert_id": "c5f13ec0-8075-441e-80b5-aeb707f6b87e",
    "service_type": "LOCAL_MANAGER"
}
    For GM: 
    POST https://<nsx-global-manager>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
{
    "cert_id": "c6f13ec0-8075-441e-80b5-aeb707f6b87e",
    "service_type": "GLOBAL_MANAGER"
}
  7. (Optional) If you currently have an NSX Intelligence appliance deployed with your NSX Manager cluster, you must update the NSX Manager node IP, certificate, and thumbprint information that is on the NSX Intelligence appliance. See VMware Knowledge Base article https://kb.vmware.com/s/article/78505 for more information.
  8. To replace APH-APR certificates use the API call: 
    POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication
    For example: 
    POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication
{
 "cert_id": "77c5dc5c-6ba5-4e74-a801-c27dc09be76b",
 "used_by_id": "4e15955d-acd1-4g49-abae-0c6ea65bf438"
}