Ran into a difficulty trying to use the self-signed certificate that comes pre-configured on the manager for NSX-T. In my case, Pivotal Operations Manager refused to accept the self-signed certificate.
So, for NSX-T 2.1, it looks like the procedure is:
- Log on to the NSX Manager and navigate to System|Trust
- Click CSRs tab and then “Generate CSR”, populate the certificate request details and click Save
- Select the new CSR and click Actions|Download CSR PEM to save the exported CSR in PEM format
- Submit the CSR to your CA to get it signed and save the new certificate. Be sure to save the root CA and any subordinate CA certificates too<. In this example, certnew.cer is the signed NSX Manager certificate, sub-CA.cer is the subordinate CA certificate and root-CA.cer is the Root CA certificate
- Open the two (or three) cer files in notepad or notepad++ and concatenate them in order of leaf cert, (subordinate CA cert), root CA cert
- Back in NSX Manager, select the CSR and click Actions|Import Certificate for CSR. In the Window, paste in the concatenated certificates from above and click save
- Now you’ll have a new certificate and CA certs listed under Certificates. The GUI only shows a portion of the ID by default, click it to display the full ID and copy it to the clip board
- Launch RESTClient in Firefox.
- Click Authentication|Basic Authentication and enter the NSX Manager credentials for Username and Password, click “Okay”
- For the URL, enter https://<NSX Manager IP or FQDN>api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate ID copied in previous step>
- Set the method to POST and click SEND button
- check the Headers to confirm that the status code is 200
- Refresh browser session to NSX Manager GUI to confirm new certificate is in use
I was concerned that replacing the certificate would break the components registered via the certificate thumbprint; this process does not break those things. They remain registered and trust the new certificate