top of page
Writer's pictureHammad Alam

Replacing NSX-T Node and VIP Certificate with CA signed cert

This is not the best or most recommended way. This is just how I did it, so sharing.

Create a CA signed cert with 4 Subject Alternate Names (SAN), for ex:

  1. nsxtmgr1.nsxt.local

  2. nsxtmgr2.nsxt.local

  3. nsxtmgr3.nsxt.local

  4. nsxtmgrvip.nsxt.local


NSX Manager does not allow you to create a CSR with SAN. For lab, I use the cert manager in vCenter Server. Please visit the Using vCenter Appliance to create Certificate CSR with (Subject Alternate Names) SANs in LABs for easy way to do it in the lab.

Certificate Information:

openssl x509 -in certificate.crt -text -noout
Common Name: CA
Subject Alternative Names: email:halam@vmware.com, IP Address:10.29.12.149, nsxtmgrvip.nsxt.local, nsxtmgr.nsxt.local, nsxtmgr2.nsxt.local, nsxtmgr3.nsxt.local
Organization: VMware
Organization Unit: VMware Engineering
Locality: Palo Alto
State: California
Country: US
Valid From: March 20, 2019
Valid To: March 19, 2021
Serial Number: 2719d87100000000000c

Note: To import signed certificate with SAN, I would suggest to create the CSR somewhere else that supports SAN certs. NSX-T Manager CSR only allows single name.


Get the cert signed by a CA. Import the signed cert and the signing CA+Intermediary as well. Validate that they are on each node.


Switching the Cert on Nodes to the newly imported Cert

At this point, you will have the certificate listed in the Certificates list but NSX-T Manager is not yet using it. You need to make an API call to change the certificate from current to the new one specifying the certificate ID of the imported Cert

POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=$CERTIFICATE_ID$

If you get the following error, you need to switch to CURL. I dont know of an alternate using Frefox RestClient that I use


{
    "module_name" : "common-services",
    "error_message" : "A Valid Xsrf Token header must be provided with the Http Request.",
    "error_code" : "400"
}


Method 1:


nsxt@nsxtubuntu:~$  curl -X POST -k -H 'Content-Type: application/json' -H 'Authorization:  Basic YWRtaW46Vk13YXJlMSFoYWxhbQ==' -H "`grep X-XSRF-TOKEN headers.txt`"  -i 'https://nsxtmgr2.nsxt.local/api/v1/node/services/http?action=apply_certificate&certificate_id=8c6ae974-77c9-4e54-9378-01d738368981'
HTTP/1.1 202
Set-Cookie: JSESSIONID=B48C812651B4659874B3AD27501CBDDC; Path=/; Secure; HttpOnly
Vmw-Task-Id: d6b5b58a-b6a3-4928-995b-21cf93cd0135_6ff78ac9-8eb6-4159-8832-cc83947ff909
Date: Mon, 25 Mar 2019 22:26:45 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Server: NSX

HINT: To convert your credentials to base64 (with escape characters:

echo -ne "'admin:VMware1\!hammad'" | base64
J2FkbWluOlZNd2FyZTFcIWhhbGFtJw==

Method 2:

nsxt@nsxtubuntu:~$ more nsxtmg3
curl -k -X POST \
    "https://nsxtmgr3.nsxt.local/api/v1/node/services/http?action=apply_certificate&certificate_id=8c6ae974-77c9-4e54-9378-01d738368981" \
    -u "admin:VMware1!halam" \
    -H 'content-type: application/json'
 nsxt@nsxtubuntu:~$ chmod +x nsxtmg3
 nsxt@nsxtubuntu:~$ ./nsxtmg3



Replace VIP Certificate:

I am not sure where you need to point to but for me, I checked in UI which Manager Node was owning the VIP and pointed directly to it*.


nsxt@nsxtubuntu:~/pks-tools$ more vipcert
curl -k -X POST \
    "https://nsxtmgr.nsxt.local/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=8c6ae974-77c9-4e54-9378-01d738368981" \
    -u "admin:VMware1!halam" \
    -H 'content-type: application/json'
nsxt@nsxtubuntu:~/pks-tools$ ./vipcert
{
  "certificate_id": "8c6ae974-77c9-4e54-9378-01d738368981"




Checking CA Certificate on Manager Appliance


/image/vmware/nsx/file-store/domain_ca_cer



root@nsxtmgr1:/config# more /image/vmware/nsx/file-store/domain_ca_cer
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQUA8NKYWxyI9D5reAL65SzDANBgkqhkiG9w0BAQsFADBG
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRuc3h0MRcw
FQYDVQQDEw5IYW1tYWQtbnN4dC1DQTAeFw0xOTA0MDExNTExMjNaFw0yNDAzMzEx
NTIxMjNaMEYxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkARkW
BG5zeHQxFzAVBgNVBAMTDkhhbW1hZC1uc3h0LUNBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyS1fIV2i1qUQ0C+D5/lDuEKALLrDPn2BvIkLPCVoMN+5
w/GUynL/kav2rns33AGEG5y5d3cUIlOrG17EXM+iWSwqsPK7ZN2PNR0JMXyxSV8Q
xJlMqyhFzI3LV8QyBuskpJpqCKMfCS5euhxX15zXCl0YfRQzJYuZ95lhRRutDRpZ
NODwuZOKLh+pPpXEn00L3192XjkHhDtvY13uiixjZefsnpQlF2jRDGcDLfo+2+hQ
0QsuC0OSDxFH5b767yKpYObi3N/OnKNgVC/yJDvdRzkYEY5gVGckLeG/mdWmei+A
RX87tECLXxN1iikQlKseYn4H4ksosFaE9hSnbWou8QIDAQABo3gwdjALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU29WhdvIrY+6qaNQH5rNQ
BMwGgp8wEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUbfPxhjKT
Q8FkgNoVKc3Nn7fcPJkwDQYJKoZIhvcNAQELBQADggEBAKzsmKaXXOcx+UawTFFC
YsuskIift+Q49xwzGLuRZvRaiShRxfDFXvZAkkuie8XivKsY6DFldfQ6NUo0MJ0m
SZdxR47v0mpFSYcddHuwI1O9pS6/URBvcITbe8f2WhQbPSPBoVYY8xVl1xGSnGd/
0hU8NZWZrWHaTc2zNiC2jEmLFI0ZudqALSaoHzo9MrgkNo+jj9Lwv2B2njfGvJnf
zXB6H3f7f4rZtOWrzi/oPP1UhJtGAM0uifgCH/LGJmv98Vy8rIdgSoGy99w41xU9
quRZJD+Vsfdsb/tXmNQdVPOQVZgykFHFLdtGyQ9W5Nfz9IgdKiI1HqlH9nHn8naI
vTY=
-----END CERTIFICATE-----


==============


*Additional nugget (Thanks to Stephen):

The Cluster VIP is associated with the https service and with the node which is "master". To find the master, on an nsx mgr CLI, run the following command


get cluster status verbose | json
....
{
 "group_id": "8a5da52e-d126-347d-b59e-70c05721a8aa",
 "group_status": "STABLE",
"group_type": "HTTPS",
"leaders": [
 {
"leader_uuid": "d29d0b42-f2db-7fac-0bee-ab041df1f54b",
 "lease_version": 22600,
"service_name": "api"
 }
 ],
 "members": [
 {
 "member_fqdn": "sauers-nsxmanager-ob-12456646-1-TL3L2L33",
 "member_ip": "10.160.138.88",
 "member_status": "UP",
 "member_uuid": "dc250b42-d04c-4f7c-f39c-f8ba9a3db5fd"
 },
 {
 "member_fqdn": "sauers-nsxmanager-ob-12456646-3-TL3L2L33",
 "member_ip": "10.160.136.129",
 "member_status": "UP",
 "member_uuid": "d29d0b42-f2db-7fac-0bee-ab041df1f54b"
 },
 {
 "member_fqdn": "sauers-nsxmanager-ob-12456646-2-TL3L2L33",
 "member_ip": "10.160.156.58",
 "member_status": "UP",
 "member_uuid": "535b0b42-6e6c-161d-5e59-7f2caa154df7"
 }
 ]
 }


0 views0 comments

Recent Posts

See All

Comments


bottom of page