After you deploy NSX Application Platform, you can change your expired private Harbor certificate or replace an existing private Harbor certificate with a new one.

Prerequisites

Verify that you have a NSX Application Platform deployment with a private Harbor certificate. See Run the NSX Application Platform Automation Appliance Deployment Wizard.

Procedure

  1. Create a CA certificate, server certificate and server key for the private Harbor.
    Note: The self signed or private CA certificate must have Subject Alternative Name (SAN). 
    mkdir harbor-certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor-ip.corp.local" -key ca.key -out ca.crt
openssl genrsa -out harbor-ip.corp.local.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor-ip.corp.local" -key harbor-ip.corp.local.key -out harbor-ip.corp.local.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor-ip.corp.local
DNS.2=harbor-fqdn
IP.1=harbor-ip
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor-ip.corp.local.csr -out harbor-ip.corp.local.crt

root@nappa [ /opt/napp/harbor-certs ]# ls -al *.crt *.key
-rw-r--r-- 1 root root 2069 Jan 29 12:59 ca.crt
-rw------- 1 root root 3272 Jan 29 12:59 ca.key
-rw-r--r-- 1 root root 2179 Jan 29 13:03 harbor-ip.corp.local.crt
-rw------- 1 root root 3272 Jan 29 13:00 harbor-ip.corp.local.key
  2. Copy the certificates to the /storage/certs directory in the Harbor VM. 
    ca.crt >> harbor_ca.crt
harbor-ip.corp.local.crt >> server.crt
harbor-ip.corp.local.key >> server.key

root@20 [ /storage/certs ]# ls
harbor_ca.crt  server.crt  server.key
root@harbor [ /storage/certs ]# cat harbor_ca.crt

-----BEGIN CERTIFICATE-----
MIIFuTCCA6GgAwIBAgIUFf2KJFOChDtHjU9PgxiX9dcnAQMwDQYJKoZIhvcNAQEN
BQAwbDELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAlROMQswCQYDVQQHDAJDSDEPMA0G
A1UECgwGVk13YXJlMQwwCgYDVQQLDANBTlMxJDAiBgNVBAMMGzIwLjIwLjAuOC5u
c2J1Y3Flc3lzdGVtLm5ldDAeFw0yNDA3MjYwNzU0NDNaFw0yNTA3MjYwNzU0NDNa
MGwxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJUTjELMAkGA1UEBwwCQ0gxDzANBgNV
BAoMBlZNd2FyZTEMMAoGA1UECwwDQU5TMSQwIgYDVQQDDBsyMC4yMC4wLjgubnNi
dWNxZXN5c3RlbS5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCo
lsmaes93tA0RVJPy8LwNntmHoPxhEmYaif2vq1dQs0619PkoiPd45Z+lawu73qVx
mFUFRRxcHtNBR1TxH8mDKyGe++poS6+Ogkp3nfaKTkl1wN2pib1U+qxmXWXCBQXe
HBorUWLC0ciYMibrIu21IIrKFQE+YVyYn+6/KeqX80U1bM/WdsUGthpGbtC51Tw6
iGJo/OEpg2S+WXN2aEoCZC0B3FGVFkGuzCix5bUmNCmFEFIHPJmV3BFux/6sWs7U
7lcEW2ibRcM6LRBVK3wtBC59P5TCKmvDPXcsGtxoNrNMHBnDjLrFDy0GSlJUfexR
6UX+0V3wRykhk/9AzbQvpW6ALB+cABRK8O28r0kHZnZjyadKSijk8yttcdYYp0Mw
VP3WQy8IS+GEaSgZaGvZ231sd5sas8qBk0As5rRcyM0VRnnQiIqhlQ/7F4iWJAQE
pGxDiHzVOfEBGcpwmPR0q8qZ1gL4sw/IxPtiimYFnAa8LVn+2sffJNtgF8W/GU+B
baj6GHzIyvhJZJz2QOzMLysaoAUe/Ry+IZTmZVqjsYpORPSrjhp4Mc6YqAL1mw/Q
OfGQo9VArtBPxftUbEP1qF76TIQDOl9IUPuFNTKZOHmyvBYAZDvi/It8ziiUetFE
/UnJW/wYqEyXgFQQaVzZZpUfMiJ2ie3zdbaOZanK9QIDAQABo1MwUTAdBgNVHQ4E
FgQUnmER9nqexcnltw9ZQMmdIfk9CQUwHwYDVR0jBBgwFoAUnmER9nqexcnltw9Z
QMmdIfk9CQUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAN8MM
gWq1fBv1QiDsYIie77y1zvqnyS33ZqysEjMPfZkVaepZWxUF3HTvCBM2A+/99l3k
EjNzjlTmtAVLJ4kI7pohQyTLbRCWJtcjIx8gb+VdkLBX7AFib+FOt0UW75Ihw599
J7EeAkJnuYwHncH/c//tK4MA3Dvlr49GQEh+ZIkm1EoGv/Rhb9LycxRPj97M/nrJ
mAKnsB3PF0I7yYirUXFauiBKpjsnQablk2O6vu/SopEvIFu8ZgU+NfcWfnQnaFiQ
TRDfBFeMQOAs8x88PCoUQT5enCzjvVu8PZggIXxl2y3xdkSOxevv4nGvHD8xQqMT
ipSKx/JPhUyrw55RFfcgjwlumOEo+dsUGxQqYdH3p2+MgizDMGbwMa41x8UGpJkQ
ggzxDlyajlEU97fmpbWATUa5Wb1aP02YKBaSdPr62GdKfoAM+ZcZ9PFXV6ho0pit
VEMnoUFJwulQ6v4obw9GnkruIr6ANuULNs6nNPeU87ccb6UrdAnN+1/NwB65X7VH
Ud1kQv3b/TZfBOI60VjEe6L+8WXbqMLRsTsCaW7pSPp/fkyRIgSSxDqAqB0DGC/X
WHjelS8eq9sM59cXKvT68rQycV4RAMvIefeW3mYF4h3l3iBdisKQJFwEKY2ltkfv
p5HDdE7TU437iEvjE2iWllku07Y/fDqwYpTzsvY=
-----END CERTIFICATE-----
  3. Copy the certificates to the required locations in the Harbor VM. 
    Login to harbor VM
cd /storage/certs
cp server.crt /storage/data/secret/cert/server.crt
cp server.key /storage/data/secret/cert/server.key
cp harbor_ca.crt /storage/data/ca_download/ca.crt
  4. Reboot the Harbor VM to apply and use the new certificates.
  5. Change the private harbor certificate in NSX.
    1. Log in to the NSX Manager with admin privileges.
    2. Select System > Certificates.
    3. Add the harbor_ca.crt certificate in the /storage/certs directory of the Harbor VM to NSX.
      See the Creating Self-signed Certificates topic in the Certificates section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.
  6. Update the private harbor certificate in the NSX Application Platform registry details.
    1. Select System > NSX Application Platform > Actions > Settings.
    2. Edit the platform settings.
    3. Select Edit Platform Settings > Select new custom certificate for Private harbor.
  7. Cordon the existing Kubernetes worker nodes to change the private harbor certificate in the Kubernetes guest cluster.
    1. Log in to the NSX Manager CLI as a root user.
    2. List the existing Kubernetes worker nodes. 
      root@nsx-mgr-0:~# napp-k get nodes
NAME                                                  STATUS   ROLES           AGE   VERSION
napp-cluster-default-qrk2r-f8xjc                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-qrk2r-hgtq8                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-qrk2r-kw6kk                      Ready    control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-btzrw   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-mbpfp   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-md5wp   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-pnnr2   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-wl6h9   Ready    <none>          19h   v1.26.5+vmware.2-fips.1
    3. Cordon the Kubernetes worker nodes. 
      napp-k cordon <worker-node-1> <worker-node-2> … etc
Example -
root@nsx-mgr-0:~# napp-k cordon napp-cluster-default-workers-qljgg-5758975fcb-btzrw napp-cluster-default-workers-qljgg-5758975fcb-mbpfp napp-cluster-default-workers-qljgg-5758975fcb-md5wp napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 napp-cluster-default-workers-qljgg-5758975fcb-wl6h9
node/napp-cluster-default-workers-qljgg-5758975fcb-btzrw cordoned
node/napp-cluster-default-workers-qljgg-5758975fcb-mbpfp cordoned
node/napp-cluster-default-workers-qljgg-5758975fcb-md5wp cordoned
node/napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 cordoned
node/napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 cordoned
    4. Verify that the Kubernetes worker nodes are cordoned. 
      root@nsx-mgr-0:~# napp-k get nodes
NAME                                                  STATUS                     ROLES           AGE   VERSION
napp-cluster-default-qrk2r-f8xjc                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-qrk2r-hgtq8                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-qrk2r-kw6kk                      Ready                      control-plane   19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-btzrw   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-mbpfp   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-md5wp   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-pnnr2   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
napp-cluster-default-workers-qljgg-5758975fcb-wl6h9   Ready,SchedulingDisabled   <none>          19h   v1.26.5+vmware.2-fips.1
  8. Change the certificate in the Tanzu Kubernetes guest cluster.
    1. Log in to the WCP Supervisor cluster.
    2. List the Tanzu Kubernetes guest cluster across all namespaces. 
      kubectl get tkc -A
NAMESPACE         NAME                   CONTROL PLANE   WORKER   TKR NAME                          AGE     READY   TKR COMPATIBLE   UPDATES AVAILABLE
napp-ns-default   napp-cluster-default   3               5        v1.26.5---vmware.2-fips.1-tkg.1   3h36m   True    True
    3. List the Tanzu Kubernetes guest cluster where you want to modify the private Harbor registry certificate. 
      kubectl get tkc <tkc-name> -n <namespace>

Example - 
kubectl get tkc napp-cluster-default -n napp-ns-default
NAME                   CONTROL PLANE   WORKER   TKR NAME                          AGE     READY   TKR COMPATIBLE   UPDATES AVAILABLE
napp-cluster-default   3               5        v1.26.5---vmware.2-fips.1-tkg.1   3h36m   True    True
    4. Remove the old private Harbor certificate and certificate name and add the new ones.
      Note:

      Use a different certificate name for the new private Harbor certificate in the Tanzu Kubernetes Cluster configuration.

      kubectl edit tkc <tkc-name> -n <namespace>

spec:
  distribution:
    fullVersion: v1.26.5+vmware.2-fips.1-tkg.1
    version: ""
  settings:
    network:
      cni:
        name: antrea
      pods:
        cidrBlocks:
        - 192.168.0.0/16
      serviceDomain: cluster.local
      services:
        cidrBlocks:
        - 10.96.0.0/12
      trust:
        additionalTrustedCAs:
        - data: <old_certificate_in_base_64_encoded_format>       ---> remove old cert
          name: old-harbor-cert                                   ---> remove old cert name
        - data: <new_certificate_in_base_64_encoded_format>       ---> add new cert in base 64 encoded format
          name: new-harbor-cert                                   ---> add new cert name

new_certificate_in_base_64_encoded_format example -

LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdZVENDQkVtZ0F3SUJBZ0lVVlJpS28yOGRISGEwZjdoQm1uTkU4dEFrOGEwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUpCZ05WQkFZVApBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3R1ZrMTNZWEpsCk1Rd3dDZ1lEVlFRTERBTkJUbE13SGhjTk1qUXdOakF4TURnd01EVTFXaGNOTWpZd05qQXhNRGd3TURVMVdqQnEKTVNBd0hnWURWUVFEREJkd2NtOTRlUzV1YzJKMVkzRmxjM2x6ZEdWdExtNWxkREVMTUFrR0ExVUVCaE1DU1U0eApDekFKQmdOVkJBZ01BazFJTVEwd0N3WURWUVFIREFSUWRXNWxNUTh3RFFZRFZRUUtEQVpXVFhkaGNtVXhEREFLCkJnTlZCQXNNQTBGT1V6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUtMZXkvMjAKZTEzSUpJS1RNZlAvU05zckZUVmhZUGY0K2FiV1dQQkZlYjh3MTZUNE1mUTB4czgrM1hsekUvSGNnOW1vV1BaRwp2L2gvdjN4dmxYdFR4RUJsMjEzZDNBRTllNzhRVEdEbFNSLzhKa2RxWVBXdEhsQ3Uyb0R0c3JTZ0RCYkpEOGFvCjdIL2xOQnFZN1RXQXdoYmVTay8walBSbG9zUnlpTkY1VHk5SUwraXVhaG9PcXNLWm5CSVJNRkRKQ3l6eGlwcFQKOHBVL0F3WG1kdEdzeVAvYzJpaUdmWXBRRzJGVXVuTEt4dXVTWTdzdGlrMXp4RXduZzkvV1NCUFZZQzZoQU5zYwpKT3ErbTYrdWtqZGU2NkdBRS82NEsySUZZVHNTcXBNWUZpM21BSjRCQS9vTDB5VjB6WW5BS0JITm5GYktxZVR3CmNBaHhtdktKdkdtYllWZmVkQVA1WGYwY3lscVJqYlRQcjU0eVlIQ29IZXZiSnNKSnk1YnhrY1pJOXJScktZYnkKTUFtVWR1NC9jNGFKZGNMVGxzNXQyNVVvZkdqUThnUUZENEhsK2NzRFFDTkF4eDRNVWd2Q3RJc2U2Wk5zdjVBZwpCcGFDZEZKUk85aE1zd2RhOWRMY2ZkWGE5MnZJa29uT25TdVJGNHRDOE5DT0JwRGRHNWQwSlVyRWgvVmZYM2tCCml4NkhidTlDTndMMGNEekJKK0RlbWJZQm1kTjVRUGo0amwySThOOGF5R0ptMUgvNEVaaWc2V2RJOWFDZkIzZDcKeCtTSzNWNGtXWjRiMkhXdnI5ZXlrZHlLZjdjdGw2SW9PeCtZbCtwa2lWMS96RTRGM2hVb3ozQXJ1VU1aSHdReQpndXJVQm5qeFZRdDFLMWZaQ3Z2NVdXWDZnSm1VUDVjNVhrZU5BZ01CQUFHamdmNHdnZnN3Z1pFR0ExVWRJd1NCCmlUQ0JocUZ1cEd3d2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUoKQmdOVkJBWVRBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3RwpWazEzWVhKbE1Rd3dDZ1lEVlFRTERBTkJUbE9DRkZVWWlxTnZIUngydEgrNFFacHpSUExRSlBHdE1Ba0dBMVVkCkV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdUd01DNEdBMVVkRVFRbk1DV0NGM0J5YjNoNUxtNXpZblZqY1dWemVYTjAKWlcwdWJtVjBod1FVRkFBSGh3UUtyRTdaTUIwR0ExVWREZ1FXQkJSNXovYXlwTTRLVzYzR2krOXd2eWhqcjk4TgpTVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBam9jR3BDb01JS1paRC9SdDNhS3p4TDF2UWRqQWtrM3U5cndyCkIxRXZOL3ltUHBWeDdHcDF5VkpxNzk0WTRYTm1INTVpYVhnSmRhRk5vMERaZS9URmkxRmk2eWpuQng4WlpTNjUKYmdxUzJEbytib282QTI1UGZwUCtBc3pLU3ZqY3FBcHk2bE43dFJmUDRWaXB0eTJhVDR6UktMMVlOMXFsRVBhUgpjdjh5b3hhNjdTdi9qRFNYZnpYaUFkQ08zcGEwdHY5VG1EY2hrcHdPV05JSUxyZ2NJTElUcG84WGhhRy9JMjNxCkt2VGNuZDI2VDBXeUIyYmd2dlBmK0hBV1pLTzIvR3NGQ3gyc1NiKzNiVTRzbDZBWFZJTXlIb1lGQmd0Y1pYdmsKUjRRQkd3Tk1YN2tFeXpQMDFOVGgvckl1WHorUlppV0hpci9WcEJRQVl2VVUxR3FLMkkrQkc4eEY3SERVeTJPbQpjNzQzTG0yK1ZOZTBPR2lTeFd2OXlSd1pZNjEzd1ZMK1RBOFlvRVNlclE0cC8wSVRGYVpLSVlacms1K0lsb0N3CmNZbGh6eXhrejNiekwxNGlLQkpTaXU4VHFmS2RuV2NSQm1HSk90M2ttcHdxU1dMMTAxTkhJNjZyampNdFE4Z3QKTEN1ZmZLYzd6QUJkSmlFbi9sTndEUnhBTnoyT05nWVhNU2FRVEZTeVRudXZFMkJvQU1Fb21aSS9Fb1hXajArOQpuUGEyUEZKQ0hHNWIyVlRBdTExWVdoaU5DRlZYNEFKNlhTRzNnT3JYNm5kSFB5WmxsR0haNHRzNGZ6elMyYWFiClYwZG5OZ0dzcUYrV0xYbElweDVHSWk2aHBVbi9NVUtRQ2MxQXFBU09vRHhQRWVkMDBucmNWQjlEUkY3TVh6VE4KdnlML3BHOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
    5. Provision the new set of control and worker nodes with new private Harbor certificate. 
      kubectl get machinesets -A
NAMESPACE         NAME                                            CLUSTER                REPLICAS   READY   AVAILABLE   AGE     VERSION
napp-ns-default   napp-cluster-default-workers-gw6dj-649cb95985   napp-cluster-default   1                              35s     v1.26.5+vmware.2-fips.1
napp-ns-default   napp-cluster-default-workers-gw6dj-747c99665f   napp-cluster-default   5          5       5           3h40m   v1.26.5+vmware.2-fips.1
    6. List the Tanzu Kubernetes guest cluster to check the status.

      kubectl get tkc <tkc-name> -n <namespace1>

      Note:

      NSX Application Platform remains unstable until the Tanzu Kubernetes guest cluster is ready.