Replace NSX-T 3 SSL / TLS Certificates – Cluster Certificate

This is the third post out of a small series about replacing NSX-T SSL / TLS Certificates:

  1. Replace NSX-T 3 SSL / TLS Certificates – GUI Method
  2. Replace NSX-T 3 SSL / TLS Certificates – Manual Method
  3. –> Replace NSX-T 3 SSL / TLS Certificates – Cluster Certificate
  4. Replace NSX-T 3 SSL / TLS Certificates – Common errors

In my last two posts I’ve shown how to replace the manager’s certificates. But in a production environment, we should have 3 Managers running in a cluster. Since this cluster is gonna have a virtual IP Address, this IP needs its own Certificate.
Replacing the certificate with a custom one is pretty similar to the manually repalcing a Manager’s certificate.

Create private Key and CSR

Again, we are starting with the certificate config file.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = Germany
localityName = BER
organizationName = vRaccoon Corp
commonName =
[ req_ext ]
subjectAltName = @alt_names
DNS.1 =

As you can see, most of it is pretty straight forward. The only thing you have to make sure is:
commonName = <virtual cluster IP>
DNS.1 = <virtual cluster IP>

I’m gonna save this as nsxt-cluster.cnf
Next, we can run the command to create the key and the certificate signing request.

openssl req -nodes -newkey rsa:2048 -keyout nsxt-cluster.key -config nsxt-cluster.cnf -out nsxt-cluster.csr

You will now have three files:

  • nsxt-cluster.cnf
  • nsxt-cluster.csr
  • nsxt-cluster.key

Get the signed Certificate

Take the nsxt-cluster.csr file to your Certificate Authority and get it signed. In my case, I’m using my Windows CA.

Import the Certificate into NSX-T Manager

As soon as you got your certificate back, you can import it into your NSX-T Manager. To do so, after logging in, navigate to System (1) –> Certificates (2) –> Certificates (3) –> Import (4) –> Import Certificate (5)

Copy the the required information into the form.

Certificate Contents: Full certificate chain in the following manner:
NSX-T Manager cert
Intermediate CA Cert
Root CA Cert

Private Key: content of the nsxt-cluster.key file
Passphrase: <passphrase> (if you have set one during creation of the key, otherwise, leave it empty)
Service Certificate: No

Activate the Certificate

The certificate should be replicated between the NSX-Managers automatically. Though, it makes sense to double-check on every Manager, if the certificate is really available.
As soon as the availability is confirmed, we can enable it for the NSX-T Cluster.
First, make a note of the certificate ID:
System (1) –> Certificates (2) –> Certificates (3) –> Look for the Cert and click the ID (4) –> Copy it (5)

The activation can only be done through the REST API. I’m going to use curl to do so.
We need to run the following command:

curl –insecure -u : -X POST “https:///api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=”

In my case:

vraccoon@ubu:~$ curl --insecure -u admin:'SuperSecret123' -X POST "https://nsxt-3.vraccoon.lab/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=22ff9cb7-ea34-4440-b1d4-2d5c9555457a"
  "certificate_id": "22ff9cb7-ea34-4440-b1d4-2d5c9555457a"

You will get a reply with the Certificate ID. Your new certificate should be in place immediately.

That’s it! We’ve successfully replaced Manager and Cluster Certificates!
During this, I’ve faced some issues – check my last post of this series to learn about some problems I had to solve: Replace NSX-T 3 SSL / TLS Certificates – Common errors

Leave a Reply

Your email address will not be published. Required fields are marked *