Replacing the self-signed Certificate on NSX-T

Ran into a difficulty trying to use the self-signed certificate that comes pre-configured on the manager for NSX-T. In my case, Pivotal Operations Manager refused to accept the self-signed certificate.

So, for NSX-T 2.1, it looks like the procedure is:

    1. Log on to the NSX Manager and navigate to System|Trust
    2. Click CSRs tab and then “Generate CSR”, populate the certificate request details and click Save
    3. Select the new CSR and click Actions|Download CSR PEM to save the exported CSR in PEM format
    4. Submit the CSR to your CA to get it signed and save the new certificate. Be sure to save the root CA and any subordinate CA certificates too<. In this example, certnew.cer is the signed NSX Manager certificate, sub-CA.cer is the subordinate CA certificate and root-CA.cer is the Root CA certificate
    5. Open the two (or three) cer files in notepad or notepad++ and concatenate them in order of leaf cert, (subordinate CA cert), root CA cert
    6. Back in NSX Manager, select the CSR and click Actions|Import Certificate for CSR. In the Window, paste in the concatenated certificates from above and click save
    7. Now you’ll have a new certificate and CA certs listed under Certificates. The GUI only shows a portion of the ID by default, click it to display the full ID and copy it to the clip board
    8. Launch RESTClient in Firefox.
      • Click Authentication|Basic Authentication and enter the NSX Manager credentials for Username and Password, click “Okay”
      • For the URL, enter https://<NSX Manager IP or FQDN>api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate ID copied in previous step>
      • Set the method to POST and click SEND button
      • check the Headers to confirm that the status code is 200
    9. Refresh browser session to NSX Manager GUI to confirm new certificate is in use

I was concerned that replacing the certificate would break the components registered via the certificate thumbprint; this process does not break those things. They remain registered and trust the new certificate

2 thoughts on “Replacing the self-signed Certificate on NSX-T”

  1. Very detailed guidance on NSX-T and NSX-V. I’ve learned a lot here.

    Looks like there’s no reference yet on how to set up NSX-T loadbalancer for PAS 2.0. So, NSX-T is still not fit for PAS 2.0 in production, right?


    1. Thanks! I’m actively working on NSX-T with PCF 2.0 right now and hope to have a relevant post soon. As far as I know, NSX-T is suitable for production with PCF 2.0, but because of the integration complexities, it’s somewhat more awkward to set up (at least for me so far). Also, there’s no way to migrate from a foundation using NSX-V to NSX-T and the integration with NSX-T must be set up concurrently with PAS or PKS. There’s quite a very limitations and caveats with these early releases.

Comments are closed.

%d bloggers like this: