After you install NSX the manager nodes and cluster have self-signed certificates. Replace the self-signed certificates with CA-signed certificates and use a single common CA-signed certificate with a SAN (Subject Alternative Name) that matches the FQDNs and IPs of all the nodes and the VIP for the cluster. You can run only one certificate replacement operation at a time.
If you are using NSX Federation, you can replace the GM API certificates, GM cluster certificate, LM API certificates, and LM cluster certificates using the following APIs.
Started in NSX Federation 4.1, you can replace the self-signed certificate used for the GM-LM communication. Also, the Global Manager certificate now generates the Local Manager certificate at the time the Local Manager gets registered. The Local Manager certificate is no longer a default certificate.
When you replace the Global Manager or Local Manager certificate, the site-manager sends these to all the other federated sites, so communication remains intact.
- the NSX nodes with in the cluster.
- within the NSX Federation.
- the NSX Manager to NSX Edge.
- the NSX Manager to NSX agent.
- the NSX Manager REST API communication (external).
You can also replace the platform Principal Identity certificates auto-created for the Global Manager and Local Manager appliances. See Certificates for NSX and NSX Federation for details on self-signed certificates auto-configured for NSX Federation.
Prerequisites
- Verify that a certificate is available in the NSX Manager. Note that on a standby Global Manager the UI import operation is deactivated. For details on the import REST API command for a standby Global Manager, refer to Import a Self-signed or CA-signed Certificate.
- The server certificate must contain the Basic Constraints extension
basicConstraints = CA:FALSE
. - Verify that the certificate is valid by making the following API call:
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate
- Have your node ID string available, if needed. For help locating this information using the UI or the CLI, refer to Finding Node IDs for Certificate API Calls.