The system creates certificates required for the communication between NSX appliances and external communication, including NSX Federation appliances. This topic covers the various certificate information
The Certificates for NSX Manager table reflects certificate details including the span of time that certificates are valid for new deployments only. New certificates are not generated during upgrades, so certificate validity dates will reflect a previous NSX version's default certificate expiration date. To replace existing self-signed certificates with CA-signed certificates, refer to details in Replace Certificates Through API. To read about security compliance events, refer to the NSX Event Catalog.
Certificate Naming Convention | Purpose | Replaceable using service_type | Default Validity |
---|---|---|---|
APH (aka APH_AR) | Appliance Proxy hub (APH) server public key and Asynchronous Replicator for cross communication, for Federation | Yes, use service_type=APH. | 825 days |
APH_TN | Appliance Proxy hub (APH) certificate for Transport node (TN) and intra-cluster communication | Yes, use service_type=APH_TN. | 825 days |
API | API server certificate for NSX Manager node | Yes, use service_type=API. | 825 days |
CCP | Control Configuration Plane certificate to communicate with transport nodes | Yes, use service_type=CCP. | 10 years |
MGMT_CLUSTER (aka VIP) | API Server certificate used by VIP | Yes, use service_type=MGMT_CLUSTER. | 825 days |
CBM_CLUSTER_MANAGER | Corfu client certificate | Yes, use service_type=CBM_CLUSTER_MANAGER. | 100 years |
CBM_CORFU | Corfu server certificate | Yes, use service_type=CBM_CORFU. | In 4.1.0, 825 days. Starting in 4.1.1, 100 years. |
Certificates for NSX Federation Communication
By default, the Global Manager uses self-signed certificates for communicating with internal components, registered Local Managers, and for authentication for NSX Manager UI or APIs.
You can view the external (UI/API) and inter-site certificates in NSX Manager. The internal certificates are not viewable or editable.
Certificates for Global Managers and Local Managers
After you add a Local Manager into the Global Manager, a trust gets established by exchanging certificates between Local Manager and Global Manager. These certificates also get copied into each of the sites registered with the Global Manager. Starting in NSX 4.1.0, the certificate used to establish trust with the Global Manager gets generated only when the Local Manager registers with the Global Manager. That same certificate gets deleted if the Local Manager moves out of the NSX Federation environment.
See the Certificates for Global Managers and Local Managers table for a list of all the NSX Federation specific certificates created for each appliance and the certificates these appliances exchange with each other:
Naming Convention in the Global Manager or Local Manager | Purpose | Replaceable? | Default Validity |
---|---|---|---|
The following are certificates specific to each NSX Federation appliance. | |||
APH-AR certificate |
|
Yes, use service_type=APH. See Replace Certificates Through API. | 10 years |
GlobalManager |
|
Yes, use service_type=GLOBAL_MANAGER. Refer to Replace Certificates Through API. | 825 days |
Cluster certificate |
|
Yes, use service_type=MGMT_CLUSTER. Refer to Replace Certificates Through API. | 825 days |
API certificate |
|
Yes, use service_type=API. See Replace Certificates Through API. | 825 days |
LocalManager |
|
Yes, use service_type=LOCAL_MANAGER. See Replace Certificates Through API. | 825 days |
The LM and the GM share their Cluster, API, and APH-AR certificates between them. If a certificate is CA-signed, the CA is synchronized, but that certificate is not. |
Principal Identity (PI) Users for NSX Federation
NSX Federation Appliance | PI User Name | PI User Role |
---|---|---|
Global Manager | LocalManagerIdentity One for each Local Manager registered with this Global Manager. |
Auditor |
Local Manager | GlobalManagerIdentity | Enterprise Admin |
LocalManagerIdentity
One for each
Local Manager registered with the same
Global Manager. To get a list of all the
Local Manager PI users because they are not visible in the UI, enter the following API: command
GET https://<local-mgr>/api/v1/trust-management/principal-identities |
Auditor |