After you install NSX the manager nodes and cluster have self-signed certificates. Replace the self-signed certificates with CA-signed certificates and use a single common CA-signed certificate with a SAN (Subject Alternative Name) that matches the FQDNs and IPs of all the nodes and the VIP for the cluster. You can run only one certificate replacement operation at a time.

If you are using NSX Federation, you can replace the GM API certificates, GM cluster certificate, LM API certificates, and LM cluster certificates using the following APIs.

Started in NSX Federation 4.1, you can replace the self-signed certificate used for the GM-LM communication. Also, the Global Manager certificate now generates the Local Manager certificate at the time the Local Manager gets registered. The Local Manager certificate is no longer a default certificate.

When you replace the Global Manager or Local Manager certificate, the site-manager sends these to all the other federated sites, so communication remains intact.

The cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 can now be used or replaced for communication between:
  • the NSX nodes with in the cluster.
  • within the NSX Federation.
  • the NSX Manager to NSX Edge.
  • the NSX Manager to NSX agent.
  • the NSX Manager REST API communication (external).

You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX and NSX Federation for details on self-signed certificates auto-configured for NSX Federation.

Note: For Cloud Service Manager, it is not possible to replace the HTTP certificate in an NSX environment.

Prerequisites

  • Verify that a certificate is available in the NSX Manager. Note that on a standby Global Manager the UI import operation is deactivated. For details on the import REST API command for a standby Global Manager, refer to Import a Self-signed or CA-signed Certificate.
  • The server certificate must contain the Basic Constraints extension basicConstraints = CA:FALSE.
  • Verify that the certificate is valid by making the following API call:

    GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

  • Have your node ID string available, if needed. For help locating this information using the UI or the CLI, refer to Finding Node IDs for Certificate API Calls.
Note: Do not use automated scripts to replace multiple certificates at the same time. Errors might occur.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select System > Certificates.
  3. In the ID column, select the ID of the certificate you want to use and copy the certificate ID from the pop-up window.
    Make sure that when this certificate was imported, the option Service Certificate was set to No.

    Note: The certificate chain must be in the industry standard order of certificate - intermediate - root.

  4. To replace the API certificate of a manager node, use the following API call. To find your Unified Appliance node ID, refer to Finding Node IDs for Certificate API Calls.
    POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
    For example:
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/77c5dc5c-6ba5-4e74-a801-c27dc09be76b?action=apply_certificate&service_type=API&node_id=e61c7537-3090-4149-b2b6-19915c20504f
    Note: If you replace the CBM_MP certificate of a manager node, once the certificate operation completes, the NSX management service on that node restarts so it can start using that new certificate. During this restart, the UI and APIs are inaccessible until the manager node service is back up and running. If VIP is present on this manager node, it gets moved to another manager node. Before you replace the CBM_MP certificates on other manager nodes, ensure the management service is up and running by performing a get cluster status and checking the MANAGER group member cluster status.
  5. To replace the certificate of the manager cluster VIP, use the API call:
    POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER
    For example:
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/d60c6a07-6e59-4873-8edb-339bf75711?action=apply_certificate&service_type=MGMT_CLUSTER

    Ensure the thumbprint value gets updated for each location's Local Manager from within the Global Manager's Location Manager. Otherwise, communication between GM and LMs are disrupted. Tasks like selecting an NSX Edge cluster or requesting a tier-0 BGP summary from the Global Manager UI will not work if the thumbprint is not updated. For more information about the API, see the NSX API Guide. This step is not necessary if you did not configure the VIP.

  6. (Optional) To replace the Local Manager and Global Manager Principal Identity certificates for NSX Federation use the following API call. The entire NSX Manager cluster (Local Manager and Global Manager) requires a single PI certificate.
    Note:

    Do not use this procedure to replace a Principal Identity certificate not related to NSX Federation. To replace a Principal Identity certificate, refer to Add a Role Assignment or Principal Identity for instructions.

    POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=<service-type>
    For example:
    POST https://<local-mgr>/api/v1/trust-management/certificates/77c5dc5c-6ba5-4e74-a801-c27dc09be76b?action=apply_certificate&service_type=LOCAL_MANAGER
    Or
    POST https://<global-mgr>/api/v1/trust-management/certificates/77c5dc5c-6ba5-4e74-a801-c27dc09be76b?action=apply_certificate&service_type=GLOBAL_MANAGER
  7. To replace APH-AR certificates use the following API call. To find your Unified Appliance node ID, refer to Finding Node IDs for Certificate API Calls.
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=APH&node_id=<node-id>
    For example:
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/77c5dc5c-6ba5-4e74-a801-c27dc09be76b?action=apply_certificate&service_type=APH&node_id=93350f42-16b4-cb4e-99e0-fce2d17635a3
  8. Started in NSX 4.1, to replace the transport node (TN) or the Edge host certificates use the following API call. You must generate the private key outside of NSX Manager. If you generate the CSR in the NSX Manager, it is not possible to retrieve the private key, which is required in the API call. If it is a CA-signed certificate, include the whole chain in this order: certificate - intermediate - root. The entire certificate must be provided in a single line. Also replace any end of line character with \n. This is required in the pem_encoded and private key values. To replace newline characters with \n you can use this command on UNIX based systems: awk '{gsub(/\\n/,"\n")}1' certificate.pem.
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/action/replace-host-certificate/<transport-node-id>
    {
          "display_name": "cert_name",
          "pem_encoded": "---BEGIN CERTIFICATE---\n<certificate>\n---END CERTIFICATE-----\n",   
          "private_key": "---BEGIN RSA PRIVATE KEY---\n<private rsa key>\n---END RSA PRIVATE KEY---\n"
        }
    For example:
    POST https://<nsx-mgr>/api/v1/trust-management/certificates/aaction/replace-host-certificate/8e84d532-2cd8-46d8-90c7-04862980f69c
    {
        "display_name": "cert_sample",
        "pem_encoded": "-----BEGIN CERTIFICATE-----\nMIIC1DCCAbygAwIBAgIUMd1fGNGnvYKtilon2UMBP4rqRAowDQYJKoZIhvcNAQEL\nBQAwDzENMAsGA1UEAwwETVlDQTAeFw0yMzA5MjYxODMxMzVaFw0zMzA5MjMxODMx\nMzVaMBYxFDASBgNVBAMMC2NlcnRfc2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEAzMDsp1EGFPjus/xnHmacPJYVP0N8iQMb3W8TFFQC5jxdjNzi\ncMIb1YgpI+s3LJoyYCdZKeMcCWDwtgQXMTy9FYJCHKyt86CF0br9U9q9iC+NX93X\n+/wrWtXY89ESt0NOgj22sKI49EQT9bd0dNWupxapCb98Dyztk0cetIHa7ia1q7un\nXMZ7dofwuWUEUlT8qpyXF84N6bhWQSrXRyeQ+oZrsq3sAyfnKzbfcs0T3sztWn9M\nR7h8iPkjpJjVV5z1ghAgIDKFXG8RVU8fLgX5srtYV2Ij1II0qYwe/yGBfj7xsemB\n2lGGPotlbwUE5oPFISJvG9qLOoNKVLvBrxuNnQIDAQABoyEwHzAdBgNVHSUEFjAU\nBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAAqPfZWNzG/b\nBhtN2gDjr0LplfC0yi8K6Ep3exECE5UOUJvHubko4Z6eCZFT8XSrAa6eZQEVe3O3\nwFvpdedCiEpI/IaFhpRUQDubJMPao7t4Uohz3k3ONMGbIci8dVUcQRQlmxFmx3wf\n0/33fy3b1zIOXqooQF3qUlpjms/RQOdD80dSlMze8WI7yz9LZt9Zc+sr8ePRi4Xy\ntudO6EYTiWm3CC5BxDDjKpkFCACFRT4zr5HsomHsFeo4hGIHl2zN0+JoGrdrWcta\nxdl5aQYy79vIMgvz696EKUGePEpJjpyP/wlwzmIY3RvXRKThuVXvg20gi365x8+J\niKbzpCGe0P0=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIC/zCCAeegAwIBAgIUUlHXcczsdMpei1ThgeQYpvgzaxMwDQYJKoZIhvcNAQEL\nBQAwDzENMAsGA1UEAwwETVlDQTAeFw0yMzA5MjYxODI2NDZaFw0zMzA5MjMxODI2\nNDZaMA8xDTALBgNVBAMMBE1ZQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQDbr78t32TUl1qTcDGvVQhiUkktntPO/5/FRDSIjy9qyNGDrcICDAYzOe79\nceXpOzfUStacEeTXse89q1MJz4ykaU2g6EUN2E4sfoP4KznBlObLHnnlxD482DL4\nbuMA8qCe0soUsGE6uoeFHnSW3M+NRI3GtJe1MM134JQ/TSNZTv+d93nB4bS2nSK7\nA1fFDRSuj8Ey7a1im8JgykL9ahJ6yxrpk8juEJwII04nHfAG102/8/YKEZyPWcPX\nYvLZEt/lBVxRPplWfbNIo3zfA09fzb4RMaOSsyBbqTBseL/4fxlnkeu1Rii3ZwcQ\nL4Wr6mKR1YCievsuXdLK5pWUH+BtAgMBAAGjUzBRMB0GA1UdDgQWBBTnYafa1EXn\nNPIqTkIO82kdamjDgTAfBgNVHSMEGDAWgBTnYafa1EXnNPIqTkIO82kdamjDgTAP\nBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC2Ef+CPICTdWEKW3e6\nwaObe4Y85CS2wfSBRFvt0yCAUF8yysr3kQx85wdhfDfvidQdrgQIkDKe83J61r5l\n238wFo9O10RpFWl1csY4hZ19geeTW3L8tABp+f1or1vsAogfVtcaZwmqz/LEaZ0r\n4JdONE9gq40RgX5R9GPD04k3hKr6HoNHHnBssmNHgo8pLKRv04mx0yQyn45lKvet\ngcInI9j8YLsXGHdeiZ/zXKUgKQdicBw79K/mQCpgkpaEi3K9mFUFCUU9CiWxiy62\nSN2/SEuOWlb7Kq8VwJUfUn3lKoY9sofr9zsSsh5lhQOKb1uguo8xUF8v6iLuDAjr\n9bcn\n-----END CERTIFICATE-----\n",
        "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAzMDsp1EGFPjus/xnHmacPJYVP0N8iQMb3W8TFFQC5jxdjNzi\ncMIb1YgpI+s3LJoyYCdZKeMcCWDwtgQXMTy9FYJCHKyt86CF0br9U9q9iC+NX93X\n+/wrWtXY89ESt0NOgj22sKI49EQT9bd0dNWupxapCb98Dyztk0cetIHa7ia1q7un\nXMZ7dofwuWUEUlT8qpyXF84N6bhWQSrXRyeQ+oZrsq3sAyfnKzbfcs0T3sztWn9M\nR7h8iPkjpJjVV5z1ghAgIDKFXG8RVU8fLgX5srtYV2Ij1II0qYwe/yGBfj7xsemB\n2lGGPotlbwUE5oPFISJvG9qLOoNKVLvBrxuNnQIDAQABAoIBAQCE8JH2xIWVYlbh\np3RwaaDxOWTMMY4PC2SxLegOX8mOIQ2AYv3mxjD6QDCt8I9fNzKT+ZhLuPhAIp/H\nHfrM7im6aFtycK90qfmYxbarFi/O10kMQGZ2ZjDkBkqZa1qigGHd8CHIp1shRX5M\nIHPNU9vVAsJ34Mq0s7AA2sFV46X4zyEqHKLi1qVcsj68XJCrKJPTzOXiZWOHL8e0\nx4B8mGKbnWNmrq6styyYi9rzUnucoKL459YkaF/MEBpou3wvhprkR5Ufr4eNo0YV\nr0KfcEjxZqVT2o6r59+gSZQiCHael2MgslvMUTJOPgZ8tO78RQIHpH8GnNo+QkzB\nvXDfH2zhAoGBAPbeM7OveieHL37Iu/xY2wtDagSBD5K0VJhP8OOF5G1t1nHNcyWa\nYa49hTmGJ7bQsw5oGccvvsXCgGzaNbbAQtKlcz9kiXKOpTWV3t+RXtp0IXp8MIG6\nvWYd7yey7FHumHS/wC0h/REwx10153UpYaFJe2QJHw4yG9BJgN7o4duVAoGBANRT\n6BMPqV/6P9kJtduU8sZOVv3BbyUIkoBZlw2O7LB1IjIZcEm4By9DEAqCkFMp4gST\nW6o2eyXKp0oZ1UwqKdESG2LrGePNrmbQp7LvMngyk7CDqczA5gmnlndCy27k/d1Y\nQuWz+WDrqc8EAD7wRBmrwR0p3zCntPFRJPVu+yfpAoGACkDcYOAu8KlavadUt3xx\nTJx2MM2zeeJniRP461pKTIk9WOixmaQ53mTLvcHmsF8msLh+KZnAELKtZtgBVx/R\nJrKcgMuKMenezsT0xtBg4i3knhO+aAT7jNw9bKavzg9c4ax9LOK2ghpGjYaJoIIh\nffNxXoxKb+qA4TvMUHXXu6kCgYAhGeefORzVqqTTiDECx4jFo6bqLoLOSjTUr6Ld\n6T87DzfCiba4t2jfVFwm1036uRfUUMjEk3PFY3+LDNX05snYHzOHy1Eg84rR2oua\nWLIMjQ37QbtyAUybirXpZ89hPW/aVw0u1Ez3cCXr8Rq8tSZYvi8ABewWoL6TtGvH\nm4KqKQKBgCfZrv6wpCrS5Ep/AKQGdPOXCOM8O2+b4e/NJpSIH9Zk5Elg6WAunlCp\ntHyx1pZFq5RboxFw7DsM9eUTakHvGtTJ+EFHbyc5tKqWKnVbGmDYR6pNRULPEXU9\nhBQ1pzzmwGnO6AyxTxgoY5CosK2Ga1KjsWUXqay2QwIln+E+xxsm\n-----END RSA PRIVATE KEY-----\n"
    }
    Use the ID of the transport node for the node_id, not the Unified Appliance (UA) ID. To find your node ID, refer to Finding Node IDs for Certificate API Calls.

    For details on the default self-signed certificates configured by the system or for VMware Cloud Foundation certificate requirements, refer to Types of Certificates.

  9. To replace a certificate that originates from other locations in your federated NSX deployment, look for certificates with names starting with the word Site; for example, Site certificate L=PA,ST=CA,C=US, Site certificate UID=369cd66c-..., or with their UUID only 637a2ebf-84d1-4548-a0ba-51d9420672ff. If those certificates are expiring, remember to perform the replacement on the originating node or cluster. You can find that information in the UI under the Where Used column or in the API in the Used By field. If you replace the certificates on any originating Global Manager or Local Manager, they will automatically synchronized across the federated deployment.
  10. To remove an unused certificate that is no longer needed, you can use the UI or API. If the data in the Certificates pane Where Used column reflects a zero, that means that certificate is not being used and you can remove it using the Delete button. If the data in the Used By details of your API command output reflects a zero, that means that certificate is not being used and you can remove it using the API System Administration > Settings > Certificates > Certificate Delete command.