After you deploy the remaining NSX-T Manager appliances, replace the default certificate for them to establish a trusted connection with the management components in the SDDC. To replace the certificate for an NSX-T Manager instance, you import the certificates through the NSX-T Manager user interface and replace the existing certificates using a REST API client.

You use the CertGenVVD utility to generate a certificate that is signed by a certificate authority (CA) on the parent Active Directory server.

Table 1. URLs for Replacing the Certificates for the NSX-T Manager Appliances
NSX-T Manager Appliance POST URL for Certificate Replacement
sfo01wnsx01b https://sfo01wnsx01b.sfo01.rainpole.local/api/v1/node/services/http?action=apply_certificate&certificate_id=sfo01wnsx01b_certificate_ID
sfo01wnsx01c https://sfo01wnsx01c.sfo01.rainpole.local/api/v1/node/services/http?action=apply_certificate&certificate_id=sfo01wnsx01c_certificate_ID


  1. Log in to the user interface of the first NSX-T Manager appliance.
    1. Open a Web browser and go to https://sfo01wnsx01a.sfo01.rainpole.local.
    2. Log in by using the following credentials.
      Setting Value
      User name admin
      Password nsx_admin_password
  2. Retrieve the ID of the certificate for the NSX-T Manager node.
    1. On the main navigation bar, click System.
    2. In the navigation pane, select Certificates.
    3. Click the ID value of the sfo01wnsx01b certificate and copy its value from the text box that appears.
  3. Log in to the Windows host that has access to your data center.
  4. Replace the default certificate for the NSX-T Manager appliance with the CA-signed certificate.
    1. Start the Postman application in your Web browser and log in.
    2. On the Authorization tab, configure the following settings and click Update Request.




      Basic Auth

      User name




    3. On the Headers tab, enter the following header details.





      Key Value


    4. In the request pane at the top, from the drop-down menu that contains the HTTP request methods, select POST, and in the URL text box, enter the following URL query.
      After the NSX-T Manager appliance sends a response back, on the  Body tab, you see a 202 Accepted status.
  5. To upload the CA-signed certificate on the sfo01wnsx01c NSX-T Manager appliance, repeat Step 2 to Step 4.
  6. Log in to vCenter Server by using the vSphere Client.
    1. Open a Web browser and go to https://sfo01m01vc01.sfo01.rainpole.local/ui.
    2. Log in by using the following credentials.
      Setting Value
      User name administrator@vsphere.local
      Password vsphere_admin_password
  7. Restart the NSX-T Manager appliances.
    1. In the VMs and Templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local > sfo01-m01dc > sfo01-m01fd-nsx tree.
    2. Right-click the sfo01wnsx01b virtual machine, and select Power > Restart Guest OS.
    3. Right-click the sfo01wnsx01c virtual machine, and select Power > Restart Guest OS.
  8. In the user interface of NSX-T Manager, verify that the Repository Status for each NSX-T Manager appliance is Sync Complete , and that the status of the management cluster is Stable.