top of page

How to Create and Replace the NSX Manager Web, API, and APH-AR Certificates using PowerShell

I recently resetup NSX in my home lab. I setup NSX 4.0.1.1. After completing the appliance stand up, we need to create/install a certificate for the NSX Manager Web Interface. This is based on my VMware Explore 2020 presentation:


Prereqs

Install Notepad++ or another code editor to view PS1 and Log files. You will also need an API utility. I will be using PostMan.


Step 1

Go to my GitHub and download the PowerShell Scripts to generate the NSX web certificate with: https://github.com/butch7903/VMwareCertificates


Step 2

Create a folder at the root of C called certs, place the zip bundle there and and explode it. You will need the Root and Intermediate PS1 along with all the NSX-T PS1 files.

Step 3

Edit the Generate Root and Intermediate PS1 file. You will need to update the names of the Rootmatch and Intermediatematch variables. Close the Script and then run it. This will generate the root and intermediate certificates in the correct format for NSX


Step 4

Edit the NSX-T Manager VIP Certificate PS1 File. You will need to update all of the variables with the correct information, save it, and then run the PS1 script. It is recommended that you have the DNS entry created for the VIP prior to installation.


Step 5

Copy the Generate VMware NSX-T Node Certificate Files 1.2 PS1 file 3x. Name each file the name of each NSX Manager, then edit each files variables information, save it, and then run the PS1 script for each NSX Manager.


Step 6

Login to NSX Manager > System > Certificates > Click on Import Certificate


Step 7

Input the Name of the NSX Manager VIP (start with this cert first), Turn off Service Certificate, Click on Browse for Certificate, Select the nsx-mgr-sslCertificateChain.pem file, Click on Browse for Private Key, Select the nsx-mgr.key, and Click Save


Step 8

Repeat Steps 6-7 for all NSX Manager Node Certificates.


Step 9

Click on Trusted CA Bundles > Import CA Bundle


Step 10

Type in the name of your CAs for Name, Browse for the Certificate. This will be the combined CA PEM File (CombinedCA_HAMCA01-CA-PEM.pem), and Click Save


Use PostMan to Change your Certificates

This is based on the the replace certifications documentation from VMware found below.


Step 1

Open PostMan, Click on Collections > New NSX-T

Step 2

Click on New


Step 3

Click on Authorization, Select Type Basic Authentication, Type in the Username and Password


Step 4

Select Post


Step 5

Login to NSX Manager > System > Certificates. Document the IDs of all the certificates you imported earlier.


Step 6

Copy the below API Call and modify it for your use. This API call is to be used with the NSX VIP Certificate/IP. You will need to replace the <nsx-mgr> and <VIP-Cert-ID> areas with the right info

https://<nsx-mgr>/api/v1/trust-management/certificates/<VIP-Cert-ID>?action=apply_certificate&service_type=MGMT_CLUSTER

Step 7

Click on Send. If Status 200 OK is returned, it was successful!

Step 8

Test the new certificate by browsing to it. If it shows up secure, you did your job correctly! (You may want to test with incognito mode to validate this properly)

Step 9

Clone the Post NSX VIP Entry, call it NSX Get Nodes

API Call will be like below. Please update it with your NSX manager name.

https://<nsx-mgr>/api/v1/cluster/nodes


Step 10

Document the Node IDs and IPs for each Node and corrorlate that with the Node's Certificate ID

Note you can also get the Node IDs from the Certificates area under where used.


Step 11

Repeat steps 2-5 using below API call to replace the certificates for the NSX Manager Nodes.

POST https://<nsx-mgr>/api/v1/trust-management/certificates/<Node-Cert-ID>?action=apply_certificate&service_type=API&node_id=<Node-ID>


Step 12

Validate in NSX that the certificates have been replaced.


Step 13

Repeat Steps 2-5 for all nodes to replace the APH Certificate for the NSX Manager Nodes.

POST https://<nsx-mgr>/api/v1/trust-management/certificates/<Node-Cert-ID>?action=apply_certificate&service_type=APH&node_id=<Node-ID>


Step 14

After Validation of a Certificates in the NSX Manager Certificate interface (note you may have to refresh this screen manually), you can clean up the unused self-signed certificates. Delete the certificates that are no longer used.















Comments


Single Post: Blog_Single_Post_Widget
bottom of page