After restoring your NSX Manager appliances, certificates in the system get into an inconsistent state and you must update all self-signed or CA-signed certificates.
Note: This procedure does not apply to
NSX-T Data Center version 3.1.1 or later. You only need to follow these instructions if you are using
NSX-T Data Center version 3.1.0 or earlier.
See Certificates for more information on the type of certificates used in NSX-T Data Center and for instructions on updating them.
If you are using NSX-T Data Center version 3.0.1 or later, after you restore the first NSX Manager node, certificates are applied on this restored node, however, these certificates are not applied to the other nodes that are installed to form the restored NSX Manager cluster.
If you are using NSX-T Data Center version 3.0.0, none of the nodes have the original certificates applied and you must restore certificates manually for each node.
Follow these steps to update certificates after you complete the restore process:
- If you are using NSX-T Data Center version 3.0.1 or later, update tomcat certificates on the two nodes installed and joined with the restored NSX Manager node to form a three-node cluster. If you are using NSX-T Data Center version 3.0.0, update tomcat certificates for all of the NSX Manager nodes, including the one that was restored. Use the following POST request to bring the nodes back to the same state as the backed-up cluster.
POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=<cert-id>
The certificate ID corresponds to the ID of the tomcat certificate that was in use on the original setup. - Verify the certificates by running the following GET request and confirm cluster stability.
GET https://<nsx-mgr>/api/v1/trust-management/certificates