You can replace some certificates for a manager node or the manager cluster virtual IP (VIP) by making an API call. You can run only one certificate replacement operation at a time.
After you install NSX-T Data Center, the manager nodes and cluster have self-signed certificates. It is recommended that you replace the self-signed certificates with a CA-signed certificate and that you use a single common CA-signed certificate with a SAN (Subject Alternative Names) list that matches all the nodes and VIP for the cluster. See Types of Certificates for details on the default self-signed certificates configured by the system.
If you are using NSX Federation, you can replace Global Manager nodes, Global Manager cluster, Local Manager nodes and Local Manager cluster certificates using the following APIs. You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX Federation for details on self-signed certificates auto-configured for NSX Federation.
Prerequisites
- Verify that a certificate is available in the NSX Manager. See Import a Self-signed or CA-signed Certificate.
- The server certificate must contain the Basic Constraints extension
basicConstraints = cA:FALSE
. - Verify that the certificate is valid by making the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate
Note: Do not use automated scripts to replace multiple certificates at the same time. Errors might occur.