After you install NSX, the manager nodes and cluster have self-signed certificates. Replace the self-signed certificates with a CA-signed certificate and use a single common CA-signed certificate with a SAN (Subject Alternative Name) that matches all the nodes and the VIP for the cluster. You can run only one certificate replacement operation at a time.
If you are using NSX Federation, you can replace the GM API certificates, GM cluster certificate, LM API certificates, and LM cluster certificates using the following APIs.
When you replace the GM or LM certificate, the site-manager sends these to all the other federated sites, so communication remains intact.
- the NSX nodes with in the cluster.
- within the NSX Federation.
- NSX Manager to NSX Edge.
- NSX Manager to NSX agent.
- the NSX Manager REST API communication (external).
You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX Federation for details on self-signed certificates auto-configured for NSX Federation.
Prerequisites
- Verify that a certificate is available in the NSX Manager. Note that on a standby Global Manager the UI import operation is deactivated. For details on the import REST API command for a standby Global Manager, refer to Import a Self-signed or CA-signed Certificate.
- The server certificate must contain the Basic Constraints extension
basicConstraints = cA:FALSE
. - Verify that the certificate is valid by making the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
Note: Do not use automated scripts to replace multiple certificates at the same time. Errors might occur.