Replace Certificates Through NSX
Manager
You
can now replace self-signed or CA-signed appliance certificates from the
NSX Manager
. You can only replace certificates that
have private key and are valid. You cannot replace a certificate that belongs to a
service-certificate category. You can replace the self-signed
certificates for the following service types:
- MGMT_CLUSTER (aka VIP)
- CBM_CLUSTER_MANAGER
- K8S_MSG_CLIENT
- CBM_CORFU
- CCP
- APH_TN
- LOCAL_MANAGER
- GLOBAL_MANAGER
- APH (aka APH_AR)
- API
- WEB_PROXY
Note that starting from
NSX
4.2, some certificates have
been consolidated. When you replace such a certificate, ensure that the replacing
certificate must either have a wild-card SAN entry that matches all the nodes in the
cluster and the VIP or it must have as many SAN entries that match the VIP and the
individual node addresses. Going
forward, use 'Apply Certificate' when you want to assign individual certificates
to services that have been consolidated previously so that they become
individual certificates again or to consolidate certificates that have been
previously separated. After the de-consolidation of a certificate, use 'Replace
Certificate' to renew it or replace it when it has expired.
- With admin privileges, log in toNSX Manager.
- Navigate to .You see a list of all the certificates including, total certificates, certificates that are about to expire, and the certificates that are currently in use. All the certificates are arranged in different groups. You can also filter the certificates as per your requirements.
- To replace multiple certificates, perform the following steps:
- Select the certificates you want to replace, and click .
- In theReplace Certificatesdialog box, for each certificate select the required option:
- Auto-generate Self Signed Certificate: Replaces the old certificate with a auto-generated self-signed certificate. This is the default option.
- Import Certificates: Imports signed certificates to replace the old certificate. You need to select this option from the drop-down menu.
- Generate Self Signed Certificate: Provides an option to create a self-signed certificate to replace the old certificate. You need to select this option from the drop-down menu.
- ClickSave.
- To replace PI certificates, perform the following steps:
- Select the PI certificate that you want to replace.
- From the more option, clickReplace Certificate.
- In theReplace Certificatedialog box, select the PI certificate from the drop-down menu.
- ClickSave.