TOP VCF technology

VMware Cloud Foundation

Certificates NSX-T

Replace nsx-t localmanager certificate with a self-signed

By Kader #nsx local manager, #nsx localmanager, #nsx-t local manager, #nsxt local manager, #nsxt localmanager

If your localmanager certificate is going to expire soon in nsx-t manager you can use the following guide to replace it. The LocalManager certificate is Principal Identity certificate used to communicate with other sites in Federation.

Do a nsx-t backup beforehand.

Login to nsx-t manager

Click system > click certificates > click the certificates tab

You will notice your localmanager certificate and it is in use

Click the CSRs tab> click generate csr > click generate csr

Put the CN as local-manager

Put the Name as LocalManager

The rest is your own business and location details

Click save

Click your new csr tick box > click generate csr > click self sign certificate for csr

Untick service certificate and click save

Click back to certificates tab

You will notice your new certificate and your details you put in earlier

Copy the id you will need it

Open postman

Copy the below url to postman using your nsx-t manager server details

Change the API to POST

POST https://<nsx-mgr>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation

Click the authorization tab

Change to basic auth and put in your login details of nsx-t manager

Click the headers tab > Change KEY to Content-Type > Change VALUE application/json

Click the body tab > Change to raw > change to JSON > copy the below to the body > Change the id to your new certificate id.

Click Send

{ “cert_id”: “<id>”,

“service_type”: “LOCAL_MANAGER” }

Go back to nsx-t manager and do a refresh and you will notice the where used has change to your new certificate

If you are on earlier versions of nsx-t “where used” is not there in the nsx-t manager UI, use the below api to get the used by

If it is not used the used by is blank like below

look for “used_by”: []

Get all certificates if used or not

GET https://172.168.1.236/api/v1/trust-management/certificates

or just the one certificate put the certificate id at the end

GET https://172.168.1.236/api/v1/trust-management/certificates/dee8d78b-5e04-4deb-8d36-6b86f79f058b

Below is an example

Delete the old certificate once confirmed it is not used anymore from nsx-t manager

Official VMware doco to replace the certificate via nsx-t

https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html

By Kader

Related Post

NSX-T

NSX Overlay stops working – Troubleshooting and fix (can’t ping my virtual machine)

Kader
Labs NSX-T VCF

VyOS 1.3 configuration with VLC VCF

Kader
NSX-T

Deploy NSX-T Manager 4.1 with OVFtool

Ray

You Missed

VCF

Cloud Foundation 5.0 using the Holodeck – DNS Entries

VCF

Cloud Foundation 5.0 using the Holodeck – additional VLANs for other usecases

ESXi vCenter VCF vSphere

Useful command for KMS vCenter for ESXi hosts

VCF

Edge build API / VyOS 1.5 configuration for VLC VCF 2024 for 172.16.x.x network