Expiring certificates occur every so often. It is best to have the replaced or renewed before the expiration date.

In our NSX-T environment, the LocalManager, mp-cluster and tomcat certificates are bound to expire. Among others, this will disallow the SDDC Manager precheck on certain clusters to proceed an upgrade.

The LocalManager is used to interconnect with the NSX-T Federation Global Manager.
The mp-cluster certificate is used for external communication with the NSX Manager cluster using the cluster VIP, through UI/API, while the tomcat certificates are used for external communication with individual NSX Manager nodes through UI/API.

This blog post discusses how to replace the self-signed certificates for the above certificates. We will use the LocalManager certificate as an example.

The steps involved are:

  • Start a backup
  • Request CSR for each self signed certificate
  • Create Certificate through the UI
  • Activate the certificate using the NSX-T API
  • Renewing NSX-T Manager certificates

Start an NSX-T backup

The backup can be created  through the NSX-T GUI (System > Lifecycle Management > Backup & Restore)

Request CSR for each self signed certificate

The Certificate Signing Request (CSR) can be created through the NSX-T GUI as well (System > Settings > Certificates)

The details for the CSR can be extracted from your expiring certificate. Open the pull-down box for this.

Create self signed certificate through the UI

Once the CSR is created, you can be easily create a Self-Signed Certificate using the CSR. Select the sub menu for the CSR and click “Self Sign Certificate for CSR”

Make sure to deselect the Service Certificate. Click Save. The certificate is created.

Go to System > Settings > Certificates > Select the newly created certificate
Copy the new certificate ID. You will need this later to activate the certificate for its use.

Activate the certificate using the NSX-T API

Activating the certificate is only possible through the NSX-T API (that’s right, this is you chance to become an NSX-T API Senior Specialist)

Using Postman, you can easily launch API calls. You can download Postman here.

The following VMware documentation is used as a guideline: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/administration/GUID-50C36862-A29D-48FA-8CE7-697E64E10E37.html

The basic API call for this is : GET https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=validate

For the cert-id please use the new certificate ID you just copied

Note that it is a good measure to authorize using your account, e.g. Authorization: Basic Authentication / Password

If Response status is (200) OK, you can be sure the certificate is correct

To activate the LocalManager certificate, you can run the following API call


POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=<service-type>
POST https://<nsx-mgr>/api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=LOCAL_MANAGER

For other services, you can run:


The mp-cluster and Tomcat certificates

In an identical way, the mp-cluster and Tomcat certificates can be replaced/renewed.

Note that the service_Type keys for LocalManager, mp-cluster and tomcat translates into LocalManager, MGMT_Cluster and API

  • Mp-cluster certificates:
    • POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=MGMT_CLUSTER
  • Tomcat certificates
    • POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=API&node_id=<node-id>
    • To find node-id : get cluster status

Renewing NSX-T Manager Certificates

Also, the NSX-T certificates need to be visisble in SDDC Manager > Management Domain > Certificates. If this is not the case, you can easily regenerate new NSX-T Manager certificates for the nodes, as well as for the vip, virtual IP.

VMware created the following easy to follow article, KB89921.
From vCenter Server, login with root through SSH

Example code for this:

  • python nsxtVmcaCert.py -f nsxt01-1.domain.local -m
  • python nsxtVmcaCert.py -f nsxt01-2.domain.local -m
  • python nsxtVmcaCert.py -f nsxt01-3.domain.local -m
  • python nsxtVmcaCert.py -f nsxt01.domain.local -v

The following articles have guided me:


A next step is to start using VMCA Signed certificates, instead of self-signed certificates : Using VMCA-signed certificates in NSX-T

NSX-T Data Center Administration Guide > Replace Certificates