You can now replace self-signed or CA-signed appliance certificates from the NSX Manager. You can only replace certificates that have private key and are valid. You cannot replace a certificate that belongs to a service-certificate category.

You can replace the self-signed certificates for the following service types:
  • MGMT_CLUSTER (aka VIP)
  • CBM_CLUSTER_MANAGER
  • K8S_MSG_CLIENT
  • CBM_CORFU
  • CCP
  • APH_TN
  • LOCAL_MANAGER
  • GLOBAL_MANAGER
  • APH (aka APH_AR)
  • API
  • WEB_PROXY
Note: Note that starting from NSX 4.2, some certificates have been consolidated. When you replace such a certificate, ensure that the replacing certificate must either have a wild-card SAN entry that matches all the nodes in the cluster and the VIP or it must have as many SAN entries that match the VIP and the individual node addresses.

Going forward, use 'Apply Certificate' when you want to assign individual certificates to services that have been consolidated previously so that they become individual certificates again or to consolidate certificates that have been previously separated. After the de-consolidation of a certificate, use 'Replace Certificate' to renew it or replace it when it has expired.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Navigate to System > Certificates.
    You see a list of all the certificates including, total certificates, certificates that are about to expire, and the certificates that are currently in use. All the certificates are arranged in different groups. You can also filter the certificates as per your requirements.
  3. To replace multiple certificates, perform the following steps:
    1. Select the certificates you want to replace, and click Actions > Replace Certificates.
    2. In the Replace Certificates dialog box, for each certificate select the required option:
      • Auto-generate Self Signed Certificate: Replaces the old certificate with a auto-generated self-signed certificate. This is the default option.
      • Import Certificates: Imports signed certificates to replace the old certificate. You need to select this option from the drop-down menu.
      • Generate Self Signed Certificate: Provides an option to create a self-signed certificate to replace the old certificate. You need to select this option from the drop-down menu.
    3. Click Save.
  4. To replace PI certificates, perform the following steps:
    1. Select the PI certificate that you want to replace.
    2. From the more option, click Replace Certificate.
    3. In the Replace Certificate dialog box, select the PI certificate from the drop-down menu.
    4. Click Save.