Supervisor uses TLS for communication between Supervisor and NSX. There are various NSX certificates you may need to rotate if you have deployed Supervisor with the NSX networking stack.
NSX Certificates Used by Supervisor
WCP with NSX uses two certificates for integration with NSX:
- NSX Load Balancer certificate and key
- NSX Manager certificate and key
For more information on these certificates, see
Certificates for NSX Federation in the
NSX Administration Guide.
Note: The information in this topic is based on NSX v3.2.
Rotate the NSX Load Balancer Certificate and Key
You can rotate the NSX Load Balancer TLS certificate and key at the
screen.
- Select to generate the certificate.
- Select to update the certificate and key.
Generate a Self-Signed Certificate and Key for Each NSX Manager Node
Supervisor uses the Enterprise Admin account to access the NSX Manager API. If the NSX Manager certificate expires, Supervisor cannot access NSX.
If the NSX Manager certificate(s) expire, check the
Supervisor log:
tail -f /var/log/vmware/wcp/wcpsvc.log
You may see errors similar to the following:
error wcp [kubelifecycle/nsx_pi.go:47] ... Error creating WCP service principal identity. Err: NSX service-wide principal identity creation failed: ... x509: certificate has expired
error wcp [kubelifecycle/controller.go:554] ... Failed to create WCP service PI in NSX. Err: WCP service principal idenitity creation failed: NSX service-wide principal identity creation failed: ... x509: certificate has expired
To resolve the issue, update the certificate and key for each NSX Manager node. If you are using a 3-node NSX Management cluster with a VIP address, be aware that Supervisor does not use the VIP address. This means that you will need to rotate each certificate on each of the NSX Manager nodes. You cannot rotate the certificates by only replacing the VIP certificate.
- To rotate the certificate for a NSX Manager node, create a certificate signing request named and populate it with the contents below.
Where:
NSX-MGR-IP-ADDRESS
is the NSX Manager IP addressNSX-MGR-FQDN
is the NSX Manager FQDN or IP address
nsx-mgr-01-cert.cnf
[ req ] default_bits = 2048 default_md = sha256 prompt = no distinguished_name = req_distinguished_name x509_extensions = SAN req_extensions = v3_ca [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = CA organizationName = NSX commonName = NSX-MGR-IP-ADDRESS #CAN ONLY USE IF SAN IS ALSO USED [ SAN ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier=keyid:always,issuer:always [ v3_ca ] subjectAltName = DNS:NSX-MGR-FQDN,IP:NSX-MGR-IP-ADDRESS #MUST USE
For example:[ req ] default_bits = 2048 default_md = sha256 prompt = no distinguished_name = req_distinguished_name x509_extensions = SAN req_extensions = v3_ca [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = CA organizationName = NSX commonName = 10.197.79.122 [ SAN ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier=keyid:always,issuer:always [ v3_ca ] subjectAltName = DNS:10.197.79.122,IP:10.197.79.122
- Use OpenSSL to generate the SSL certificate and private key.
openssl req -newkey rsa -nodes -days 1100 -x509 -config nsx-mgr-01-cert.cnf -keyout nsx-mgr-01.key -out nsx-mgr-01.crt
- Verify that you see the following output after running the command.
Generating a 2048 bit RSA private key ...............+++ ................+++ writing new private key to 'nsx-mgr-01.key'
- You should see 3 files: the initial signing request, and the certificate and private key generated by running the signing request.
- Run the following command to verify the certificate and private key.
openssl x509 -in nsx-mgr-01.crt -text -noout
- If you are using a multi-node NSX Management Cluster, repeat the process for each NSX Manager node. Change the IP address and FQDN in the certificate signing request and the output file names accordingly.
Import the SSL Certificate and Private Key to the NSX-T Management Console
Import each NSX Manager node certificate and private key to NSX by completing the following steps. If you save the
nsx.crt
and
nsx.key
files locally, you can upload them to NSX, or you can copy/paste the contents.
- Log on to the NSX Management Console and navigate to the page.
- Click Note: Since you generated a self-signed certificate, be sure to select Import Certificate and not Import CA Certificate.
.
- Enter a descriptive Name for the certificate and key pair, such as
nsx-mgr-01-cert-and-key
. - Browse to and select the certificate file, or copy/paste its contents, including the header and footer.
For example:
-----BEGIN CERTIFICATE----- MIID+zCCAuOgAwIBAgIUCfXaWxNwXvrEFQbt+Dvvp9C/UkIwDQYJKoZIhvcNAQEL BQAwVTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExCzAJBgNVBAcM ... FGlnyT4vxpa2TxvXNTCuXPV9z0VtVBF2QpUJluGH7W1i2wUnApCCXhItcBkfve0f pCi9YoRoUT8fuMBYo7sL -----END CERTIFICATE-----
- Browse to and select the key, or copy/past its contents, including the header and footer.
For example:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5GNlUSYHa1p+E XuOGAsIgiFxUnerRYNm2ARMqRb/xKK6R4xgZhBmpmikpE90vQibvouHqnL13owq7 ... OzbnwMCUI2TeY1iJNx3HNKUrdLvrr8CMh7Looe0L4/2j7ygew2x2C5m272SCJYs/ ly+bOXEYaH4/ORHbvvr0jQ== -----END PRIVATE KEY-----
- Select No for the Service Certificate option.
- Enter a description for the certificate and key pair, such as
Cert and Private Key for NSX Manager Node 1
. - Click Import.
- Repeat the process for each of the NSX Manager certificate and key pair.
Register the NSX Manager Certificate Using the NSX API
Once you have uploaded the certificates and keys to NSX Manager, register them using the NSX API. See also
Importing and Replacing Certificates in the
NSX Administration Guide.
- In NSX Manager, select .
- In the ID column, select the ID of the certificate you want to register and copy the certificate ID from the pop-up window.
- Run the following API call to list the certificates. Get the certificate node IDs for each certificate you want to update.
GET https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates
- Run the following API call to validate the certificate.
GET https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>?action=validate
For example:https://10.19.92.133/api/v1/trust-management/certificates/070bae44-7548-45ff-a884-578f079eb6d4?action=validate
- Run the following API call to replace the certificate of a NSX Manager node:
POST https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>? action=apply_certificate&service_type=API&node_id=<node-id>
For example:POST https://10.19.92.133/api/v1/trust-management/certificates/070bae44-7548-45ff-a884-578f079eb6d4? action=apply_certificate&service_type=API&node_id=e61c7537-3090-4149-b2b6-19915c20504f
- If you are using a multi-node NSX Management Cluster, repeat the certificate replacement process for each NSX Manager node.
- When you are done, delete each expired certificate you replaced. You can do this using the NSX Manager interface or using the NSX API.
For example:
https://NSX-MGR-IP-or-FQDN/api/v1/trust-management/certificates/<cert-id>