The CA-signed certificate that you imported has expired.

Problem

The CA-signed certificate that you imported to the NSX Manager appliance host has expired and you are unable to continue working with the NSX Application Platform. You must delegate a self-signed CA-signed certificate to continue working with the NSX Application Platform and the NSX-T Data Center features that it hosts.

Cause

The default expiry for a CA-signed certificate is 825 days. The system self-signed certificates are automatically renewed. If you import a custom CA-signed certificate, you need to maintain the lifecycle of that certificate. If you forget to renew it, then the connection between the NSX Application Platform andNSX Manager unified appliance will break and you will not be able to continue working with the NSX Application Platform and the NSX features that it hosts.

Solution

  1. Log into the NSX Manager appliance as the root user.
  2. Delegate to a self-signed CA-signed certificate using the following kubectl command at the NSX Manager command prompt.
    system prompt> kubectl patch certificate ca-cert -n cert-manager --type='json' -p='[{"op": "replace", "path": "/spec/secretName", "value":"ca-key-pair"}]'
  3. Wait for about 30 seconds, then export the egress certificate by entering the following kubectl and cat commands at the NSX Manager system prompt, one at a time.
    system prompt> kubectl get secret -n nsxi-platform egress-tls-cert -o=jsonpath='{.data.tls\.crt}' | base64 -d - > tls.crt
    system prompt> kubectl get secret -n nsxi-platform egress-tls-cert -o=jsonpath='{.data.ca\.crt}' | base64 -d - > ca.crt
    system prompt> cat tls.crt ca.crt > egress.crt
  4. Import the egress.crt into the NSX Manager apppliance using the user interface and otain the certificate UUID.
    1. From your browser, log in with Enterprise Admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
    2. Navigate to System > Certificates, click Import, and select Certificate from the drop-down menu.
    3. Enter a name for the certificate.
    4. Set Service Certificate to No.
    5. In the Certificate Contents textbox, paste the contents of the the egress.crt file that you created in the previous step.
    6. Click Save.
    7. In the Certificates table, expand the row for the newly added certificate and copy the certificate ID value.
  5. Back in the NSX Manager appliance root user session, obtain the PricinpleIdentity cloudnative_platform_egress UUID using the following curl command at the system prompt.
    system prompt> curl -ku 'admin:yourAdminPassword' https://127.0.0.1/api/v1/trust-management/principal-identities
  6. Bind the PrincipleIdentity with the imported certificate ID, using the following curl command at the system prompt.
    curl -ku 'admin:yourAdminPassword' https://127.0.0.1/api/v1/trust-management/principal-identities?action=update_certificate -X POST -H "Content-Type: application/json" -H "X-Allow-Overwrite: true" -d '{"principal_identity_id": "<PI-UUID>", "certificate_id": "<EGRESS-CERT-ID>"}'