VCF on VxRail: Replace NSX-T Local-Manager Self-Signed Certificate

Background:
We have different types of NSX-T certificates.

Certificate Name	Purpose	Replaceable	Default Validity
Tomcat	This is an API certificate used for external communication with individual NSX Manager nodes through UI or API.	Yes	825 days
mp-cluster	This is an API certificate used for external communication with the NSX Manager cluster using the cluster VIP, through UI or API.	Yes	825 days
LocalManager	This is a platform Principal Identity certificate for Federation. If you are not using Federation, this certificate is not used.	Yes	825 days

For VCF solutions:
The Tomcat and mp-cluster are replaced with CA certificates signed by VMCA from vCenter. The mp-cluster and Tomcat certificates may still be there but are not being used.

NSX-T Manager with VCF:

• Tomcat - Node1 > not being used
• mp-cluster - VIP > not being used

Replaced during bring up with below:

• CA -Node1
• CA - VIP

If you want to see if the certificate is being used, use the following API on Postman platform:

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>

Local-manager certificate is the Principal Identity certificate used to communicate with other sites in Federation.

An NSX-T Federation environment contains an active and a standby Global Manager cluster and one or more Local Manager clusters.
 
To check the environment and find out how many Local Manager Clusters there are, follow the below steps and screenshot:

System > Configuration > Location Manager

• At the top of Local Manager, it shows you which cluster you are logged in on. In this example, we are logged in to a Local Manager Cluster.
• In the middle of the page, it shows the Global Manager Clusters, and which cluster is Active, and which is Standby.
• Other Local Manager Clusters are seen at the bottom under Remote Sites.

Replacing local-manager self-signed certificates procedure:

1. Log in to NSX Manager in the Local Manager Cluster.
2. Collect NSX-T backup before proceeding. This step is very important.
   1. System > Lifecycle Management > Backup & Restore > Start Backup

3. Check the certificates and expiry date.
   1. Click System > Settings > Certificates

There is one certificate per Local Manager cluster regardless of the number of NSX Managers there are within the cluster.

1. Step 1: Log in to any NSX Manager on Local Manager cluster 1.
2. Step 2: Generate new CSR.
   1. Click System > Settings > Certificates > CSRs > Generate CSR

2. Enter the Common Name as local-manager.
3. Enter the Name as LocalManager.
4. The rest is user business and location details (This can be copied from old expiring certificate.)
5. Click Save.

3. Step 3: Create a Self-Signed Certificate using the Generated CSR.
   1. Click the new CSR check box > Generate CSR > Self-Sign Certificate for CSR.

2. Ensure that Service Certificate is set to "No" and click Save.
3. Return to Certificates tab, locate the new Certificate and copy Certificate ID.

4. Step 4: Replace the Principal Identity certificate for the Local Manager.
   1. User to install Postman platform.
   2. In the Authorization tab, select Type > Basic Auth.
   3. Enter NSX-T Manager login details.

4. In the Headers tab, change "application/xml"  to  "application/json."

5. In the Body tab, select POST API command.
   1. Select raw and then select JSON.
   2. In the box beside POST, enter URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
   3. In the above, the URL is the IP used is for any NSX manager within a specific Local Manager Cluster.
   4. In the body section, enter the below in two lines as seen in the screenshot:

{ "cert_id": "<certificate id, copied from step 3>",
"service_type": "LOCAL_MANAGER" }

6. Click Send and ensure you see the result 200 OK.

 

5. Step 5: Repeat Steps 1 > 4 on each Local Manager Cluster 2 and 3.

1. Check that certificate is no longer in use.
   1. Copy Certificate ID
   2. Open Postman
   3. Select GET API instead of POST.
   4. Enter URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/certificates/<certificate-id>
   5. Look for "used_by" and confirm it has empty brackets.

    "used_by" : [ ],
    "resource_type" : "certificate_self_signed",
    "id" : "9cd133ca-32fc-48a2-898b-7acd928512a5",
    "display_name" : "local-manager",
    "description" : "",
    "tags" : [ ],
    "_create_user" : "admin",
    "_create_time" : 1677468138846,
    "_last_modified_user" : "admin",
    "_last_modified_time" : 1677468138846,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 0
  }

2. Go to System > Settings > Certificates > select the required certificate.

3. Click Delete > Delete.

4. To confirm Principal Identity is working and using the new certificates:
   1. Open Postman
   2. Select GET.
   3. Run URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/principal-identitie.
   4. Output should be similar to the below, "certificate_id" should show the newly created certificate ID.

To replace Global Manager Certificate, follow the same process but change "LOCAL_MANAGER" to "GLOBAL_MANAGER" and perform the procedure from the Global Manager Cluster.

See VMware documents for more information:

• Types of Certificates 
• Configuring the Global Manager and Local Managers
• Replace Certificates on Version 3.2 
• Replace Certificates on Version 3.1
• Create a Certificate Signing Request File