The system creates certificates required for communication between NSX Federation appliances as well as for external communication.

By default, the Global Manager uses self-signed certificates for communicating with internal components and registered Local Managers, as well as for authentication for NSX Manager UI or APIs.

You can view the external (UI/API) and inter-site certificates in NSX Manager. The internal certificates are not viewable or editable.

Note: Enabling Local Manager external VIP should not be done before a Local Manager is registered on the Global Manager. When Federation and PKS need to be used on the same Local Manager, PKS tasks to create an external VIP and change the Local Manager certificate should be done before registering the Local Manager on Global Manager.

Certificates for Global Manager and Local Managers

After you add a Local Manager into the Global Manager , all certificates that authenticate the Local Manager for external and internal communication are copied into the Global Manager and trust is established between the two systems. These certificates are also copied into each of the sites registered with the Global Manager .

See the following table for a list of all the certificates created for each appliance using NSX Federation, and the certificates these appliances exchange with each other:

Table 1. Certificates for the Global Manager and Local Managers
Naming Convention in theGlobal Manager or Local Manager Purpose Replaceable? Default Validity
The following are certificates specific to each NSX Federation appliance.
APH-AR certificate
  • For the Global Manager and each Local Manager.
  • Used for inter-site communication using the AR channel (Async-Replicator channel).
Yes. See Replace Certificates. 10 years
GlobalManager
  • For the Global Manager .
  • PI certificate for theGlobal Manager .
Yes. See Replace Certificates. 825 days
mp-cluster certificate
  • For the Global Manager and each Local Manager.
  • Used for UI/API communication with the VIP of the Global Manager or Local Manager cluster.
tomcat certificate
  • For the Global Manager and each Local Manager.
  • Used for UI/API communication with individual Global Manager and Local Manager nodes for each of the locations added to the Global Manager .
LocalManager
  • For Local Manager.
  • PI certificate for this specific Local Manager.
The following are certificates exchanged between NSX Federation appliances.
Naming Convention in the Global Manager or Local Manager Purpose Replaceable? Default Validity
Hashed code, for example, 1729f966-67b7-4c17-bdf5-325affb79f4f
  • Exchanged between all the Local Managers registered with theGlobal Manager .
  • PI certificate for the Global Manager exchanged with Local Managers.
  • PI certificates for each of the locations exchanged with all registered Location Managers.

Not Applicable

Site certificate CN=<>,O
  • Exchanged between all NSX Federation appliances: all registered Local Managers and the Global Manager .
  • All types of certificates.

Principal Identity (PI) Users for NSX Federation

The following PI users with corresponding roles are created after you add a Local Manager to the Global Manager :
Table 2. Principal Identity (PI) Users Created for NSX Federation
NSX Federation Appliance PI Username PI User Role
Global Manager LocalManagerIdentity

One for each Local Manager registered with this Global Manager .

auditor
Local Manager GlobalManagerIdentity Enterprise Admin
LocalManagerIdentity
One for each Local Manager registered with the same Global Manager . Use the following API to get a list of all the Local Manager PI users because they are not visible in the UI:
GET https://<local-mgr>/api/v1/trust-management/principal-identities
auditor