Supervisor uses TLS for communication between Supervisor and NSX. There are various NSX certificates you may need to rotate if you have deployed Supervisor with the NSX networking stack.

NSX Certificates Used by Supervisor

WCP with NSX uses two certificates for integration with NSX:
  • NSX Load Balancer certificate and key
  • NSX Manager certificate and key
For more information on these certificates, see Certificates for NSX Federation in the NSX Administration Guide.
Note: The information in this topic is based on NSX v3.2.

Rotate the NSX Load Balancer Certificate and Key

You can rotate the NSX Load Balancer TLS certificate and key at the Supervisor > Certificates > NSX Load Balancer screen.
  • Select Actions > Generate CSR to generate the certificate.
  • Select Actions > Replace Certificate to update the certificate and key.

Generate a Self-Signed Certificate and Key for Each NSX Manager Node

Supervisor uses the Enterprise Admin account to access the NSX Manager API. If the NSX Manager certificate expires, Supervisor cannot access NSX.

If the NSX Manager certificate(s) expire, check the Supervisor log:
tail -f /var/log/vmware/wcp/wcpsvc.log
You may see errors similar to the following:
error wcp [kubelifecycle/nsx_pi.go:47] ... Error creating WCP service principal identity. 
Err: NSX service-wide principal identity creation failed: ... x509: certificate has expired
error wcp [kubelifecycle/controller.go:554] ... Failed to create WCP service PI in NSX.
Err: WCP service principal idenitity creation failed: NSX service-wide principal identity creation failed: 
... x509: certificate has expired

To resolve the issue, update the certificate and key for each NSX Manager node. If you are using a 3-node NSX Management cluster with a VIP address, be aware that Supervisor does not use the VIP address. This means that you will need to rotate each certificate on each of the NSX Manager nodes. You cannot rotate the certificates by only replacing the VIP certificate.

  1. To rotate the certificate for a NSX Manager node, create a certificate signing request named and populate it with the contents below.

    Where:

    • NSX-MGR-IP-ADDRESS is the NSX Manager IP address
    • NSX-MGR-FQDN is the NSX Manager FQDN or IP address
    nsx-mgr-01-cert.cnf
    [ req ]
    default_bits = 2048
    default_md = sha256
    prompt = no
    distinguished_name = req_distinguished_name
    x509_extensions = SAN
    req_extensions = v3_ca
    
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = CA
    organizationName = NSX
    commonName = NSX-MGR-IP-ADDRESS  #CAN ONLY USE IF SAN IS ALSO USED
    
    [ SAN ]
    basicConstraints = CA:false
    subjectKeyIdentifier = hash
    authorityKeyIdentifier=keyid:always,issuer:always
    
    [ v3_ca ]
    subjectAltName = DNS:NSX-MGR-FQDN,IP:NSX-MGR-IP-ADDRESS  #MUST USE
    
    For example:
    [ req ]
    default_bits = 2048
    default_md = sha256
    prompt = no
    distinguished_name = req_distinguished_name
    x509_extensions = SAN
    req_extensions = v3_ca
    
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = CA
    organizationName = NSX
    commonName = 10.197.79.122
    
    [ SAN ]
    basicConstraints = CA:false
    subjectKeyIdentifier = hash
    authorityKeyIdentifier=keyid:always,issuer:always
    
    [ v3_ca ]
    subjectAltName = DNS:10.197.79.122,IP:10.197.79.122
  2. Use OpenSSL to generate the SSL certificate and private key.
    openssl req -newkey rsa -nodes -days 1100 -x509 -config nsx-mgr-01-cert.cnf -keyout nsx-mgr-01.key -out nsx-mgr-01.crt
    
  3. Verify that you see the following output after running the command.
    Generating a 2048 bit RSA private key
    ...............+++
    ................+++
    writing new private key to 'nsx-mgr-01.key'
    
  4. You should see 3 files: the initial signing request, and the certificate and private key generated by running the signing request.
  5. Run the following command to verify the certificate and private key.
    openssl x509 -in nsx-mgr-01.crt -text -noout
  6. If you are using a multi-node NSX Management Cluster, repeat the process for each NSX Manager node. Change the IP address and FQDN in the certificate signing request and the output file names accordingly.

Import the SSL Certificate and Private Key to the NSX-T Management Console

Import each NSX Manager node certificate and private key to NSX by completing the following steps. If you save the nsx.crt and nsx.key files locally, you can upload them to NSX, or you can copy/paste the contents.
  1. Log on to the NSX Management Console and navigate to the System > Certificates page.
  2. Click Import > Import Certificate.
    Note: Since you generated a self-signed certificate, be sure to select Import Certificate and not Import CA Certificate.
  3. Enter a descriptive Name for the certificate and key pair, such as nsx-mgr-01-cert-and-key.
  4. Browse to and select the certificate file, or copy/paste its contents, including the header and footer.

    For example:

    -----BEGIN CERTIFICATE-----
    MIID+zCCAuOgAwIBAgIUCfXaWxNwXvrEFQbt+Dvvp9C/UkIwDQYJKoZIhvcNAQEL
    BQAwVTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExCzAJBgNVBAcM
    ...
    FGlnyT4vxpa2TxvXNTCuXPV9z0VtVBF2QpUJluGH7W1i2wUnApCCXhItcBkfve0f
    pCi9YoRoUT8fuMBYo7sL
    -----END CERTIFICATE-----
  5. Browse to and select the key, or copy/past its contents, including the header and footer.

    For example:

    -----BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5GNlUSYHa1p+E
    XuOGAsIgiFxUnerRYNm2ARMqRb/xKK6R4xgZhBmpmikpE90vQibvouHqnL13owq7
    ...
    OzbnwMCUI2TeY1iJNx3HNKUrdLvrr8CMh7Looe0L4/2j7ygew2x2C5m272SCJYs/
    ly+bOXEYaH4/ORHbvvr0jQ==
    -----END PRIVATE KEY-----
  6. Select No for the Service Certificate option.
  7. Enter a description for the certificate and key pair, such as Cert and Private Key for NSX Manager Node 1.
  8. Click Import.
  9. Repeat the process for each of the NSX Manager certificate and key pair.

Register the NSX Manager Certificate Using the NSX API

Once you have uploaded the certificates and keys to NSX Manager, register them using the NSX API. See also Importing and Replacing Certificates in the NSX Administration Guide.
  1. In NSX Manager, select System > Certificates.
  2. In the ID column, select the ID of the certificate you want to register and copy the certificate ID from the pop-up window.
  3. Run the following API call to list the certificates. Get the certificate node IDs for each certificate you want to update.
    GET https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates
  4. Run the following API call to validate the certificate.
    GET https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>?action=validate
    For example:
    https://10.19.92.133/api/v1/trust-management/certificates/070bae44-7548-45ff-a884-578f079eb6d4?action=validate
  5. Run the following API call to replace the certificate of a NSX Manager node:
    POST https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>?
    action=apply_certificate&service_type=API&node_id=<node-id>
    For example:
    POST https://10.19.92.133/api/v1/trust-management/certificates/070bae44-7548-45ff-a884-578f079eb6d4?
    action=apply_certificate&service_type=API&node_id=e61c7537-3090-4149-b2b6-19915c20504f
  6. If you are using a multi-node NSX Management Cluster, repeat the certificate replacement process for each NSX Manager node.
  7. When you are done, delete each expired certificate you replaced. You can do this using the NSX Manager interface or using the NSX API.
    For example:
    https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>