Deep Dive in to Virtualization & Cloud

How to Replace CA Signed Certificate In NSX-T Manager

After the initial deployment of NSX-T manger it by default comes with self-signed certificates. It is highly recommended to replace these certificates with your internal certificate authority. You can either use individual certificates for nodes and cluster VIP or can have a single certificate with all FQDN as Subject Alternative Names (SAN)

Create CSR and Sign with CA

Create certificate signing requests for the Fully Qualified Domain Names of you NSX Manager Nodes and Cluster and sign with you Organization Internal Certificate Authority. In my Lab environment I am having single NSX Manager node and Cluster VIP.

Note: – The server certificate must contain the Basic Constraints extension

basicConstraints = cA:FALSE

Import Certificates and Verify

Once the signed certificates are downloaded from CA import that in NSX Manager.

Click on System – Certificates

Click on Import – CA certificates to import you Certificate Authority root certificate.

Make sure that when this certificate was imported, the option Service Certificate was set to No.

Note: – The certificate chain must be in the industry standard order of ‘certificate – intermediate – root, else certificate verification and replacement will fail.

Click on Import – Certificates to import your individual NSX Manager nodes and Cluster VIP certificates.

Once you import all your certificates you can see the list of certificates imported in NSX Manager with respective certificate ID.

To Verify that the certificate is valid by making the following API call, using Postman for API call.

Note: – API calls may vary depends on the NSX-T versions, I am running my NSX-T version 3.1.1. please make sure to refer the Vmware NSX-T respective version document for more details.

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

Replace Certificates

To replace the certificate of a manager node, use the API call:

POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=e61c7537-3090-4149-b2b6-19915c20504f

To replace the certificate of the manager cluster VIP, use the

POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac

Once certificates are replaced you can browse the NSX-T manager Web UI without any SSL error.


If you have any comments, please drop me a line.
I hope this article was informative, and don’t forget to buy me a coffee if you found this worth reading.

One response to “How to Replace CA Signed Certificate In NSX-T Manager”

  1. Hi Vysakh
    Is this procedure apply to NSXT version 4.x as well ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.