Renew NSX Internal Self-Signed Certificates

Once you have installed the NSX Manager, the internal self-sign certificate will be generated and configured with different services like the manager web console. These certificates have a lifetime and will expire one day, so we need to renew the certificates and we are going to renew the self-sign certificates. One important aspect of this is ensuring that the self-signed certificates are up-to-date. Self-signed certificates, while not as robust as those issued by a Certificate Authority (CA), are often used in internal networks for ease of setup and management. I will write another blog post to show how to generate a request sign the certificate in PKI and import and apply to services. In this blog post, I will walk you through the process of renewing the NSX self-signed certificate. This process is relatively straightforward, but it is essential to follow each step carefully to avoid disruptions in your network services.

I have also YouTube video where I demonstrate renewing the certificate using Python script provided from VMware by Broadcom.

Prerequisites

Before you begin, ensure that you have:

• Administrative access to the NSX Manager.
• Backup of the current NSX configuration.
• Knowledge of the potential impact on your environment, as renewing certificates might cause brief service interruptions.

Steps to Renew the NSX Self-Signed Certificate

Log in to the NSX Manager

• Open a web browser and navigate to the NSX Manager’s web interface.
• Log in with your administrative credentials.

Navigate to the Certificate Management Section

• Once logged in, go to System in the main navigation menu.
• Click on Certificates under the Settings section.

Generate a New Self-Signed Certificate

• In the Certificates window, click on Generate Certificate.
• Select Self-Signed Certificate from the options.
• Fill in the required information:

1. Common Name (CN): Typically, the FQDN of the NSX Manager.
2. Organization (O): Your organization’s name.
3. Organizational Unit (OU): The department managing the NSX.
4. Country (C): The country code (e.g., AT).
5. State (ST): The state or province.
6. Locality (L): The city.

• Set the Valid From date and Expiration date for the certificate. Make sure the expiration date is far enough in the future to avoid frequent renewals.

Apply the New Certificate

• After generating the certificate, it will appear in the list of certificates.
• copy the certificate ID.
• Use the following curl command in root mode to first validate and then apply the change.

curl -k -u admin https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate

curl -k -u admin -X POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate-id>

Another option would be using API calls which is also very easy.

POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=<certificate-id>

Verify the Certificate Installation

• To ensure that the new certificate is applied correctly, log out of the NSX Manager and log back in.
• Use your browser’s certificate inspection tools to check the details of the certificate applied to the NSX Manager’s web interface. This can usually be done by clicking the padlock icon in the browser’s address bar.

Conclusion

Renewing the NSX self-signed certificate is a straightforward process but requires careful attention to detail. By following the steps outlined above, you can ensure that your NSX environment remains secure and operational. Regularly updating and managing your certificates is a good practice to avoid unexpected service disruptions and maintain trust within your network.

Remember, while self-signed certificates are convenient, consider using CA-signed certificates for enhanced security, especially in production environments.