Lab: Replacing the self-signed SSL certificates with CA-signed certificates

From Iwan
Jump to: navigation, search

Before this can be done please complete Use Postman to perform API requests on NSX

Before this can be done please complete Signing the NSX CSR with a Microsoft (root) CA Server.

In this lab I am working with the following software and versions:

Software Version Filename
VMware NSX 4.0.0.1 nsx-unified-appliance-4.0.0.1.0.20159694.ova
Postman v9.29.0 Postman-win64-Setup.exe

By default when you deploy the NSX Manager Nodes the Nodes will have self-signed certificates. In an enterprise environment they typically have their own public key infrastructure (PKI).

  1. Replace all the self-signed SSL certificates with one CA-signed (wildcard) certificate.
  1. Do this for all NSX Manager Nodes and the NSX Manager VIP address.

Untitled.png

The Steps

  • STEP 1: Import the root CA certificate
  • STEP 2: Import the CA-signed certificate
  • STEP 3: Activate/Assign/Replace the CA-signed certificate


Link to API guide for NSX-T

STEP 1: Import the root CA certificate

When I prepared the Microsoft CA I exported the root certificate here Configuring a Microsoft Server to be a Root Certificate Authority (CA) in Step 2.

I need to import this root certificate into the NSX Manager Nodes.

Go to System → Settings → Certificates → Import → CA Certificate.

Untitled%201.png

Open the root certificate file in a notepad and copy the content over in the “Certificate Contents” field.

Untitled%202.png

Verify if the root certificate is imported correctly.

Untitled%203.png

STEP 2: Import the CA-signed certificate

Create a full chain with the CA-signed NSX certificate content first and then at the end the CA root certificate

—–BEGIN CERTIFICATE—–
NSX-T FQDN Node Certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
CA Root Certificate
—–END CERTIFICATE—–
My root certificate:
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQd/ljrMxM2KdEfl18Se05DjANBgkqhkiG9w0BAQsFADBG
MRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZMBcG
A1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjYxNTIzNTVaFw0yNzA4MjYx
NTMzNTRaMEYxEzARBgoJkiaJk/IsZAEZFgNsYWIxFDASBgoJkiaJk/IsZAEZFgRz
ZGRjMRkwFwYDVQQDExBzZGRjLVNURVAtV0lOLUNBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwlBBvULlPuXESTG+rfekm7TApKqp+Sr2rVgT84Yi8dZy
bcE0/Q8ewuJZp6n3htUhwe94PELKMMvJ6jKdZL6t7gKtkGgdp1u5OMQpg+C6Nk9o
w5stxftTh87Y+azUsBvv+9Enti9/3ycaV05NqCUKhwypoAvwD/Vp5N+H5r+uSKOw
kkuaj0sRpF1eJyp1RRM9glB5Fx8/fPA5sw95Hl/Okqtivolwp3Os8hNa9ea1xbUZ
5CVZ+evs1FRTjR75W9MmRFuGrHgKmLj++YyhfUazEkMJAjSCI2H7ZuV3XEsAA9oR
+ItMO4j5luT3ymc8qEs7uS4HlvOEpctsD3CAkBtlSQIDAQABo1EwTzALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyVRAF8yzvcU1juxL1yie
BWW5RL4wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAAJ2Q/ep
iznW0BREzfPnK5hCKDwnNYMt3aFoRwJtlISRfWjli7oy3I0VMIauot6bD1r6Q2Ab
DNZTcxe8BJDflPFzu+sIlYhiJzq7F2dUYaJp8s5vbkq6Lpfn9BFqOfsOIj87OmVP
i+2p/n+cpomTry4EmPoGtVHc5/JZVrBY0JcUmEZKYr6HgqzIvgF1J7mLq1LnlYU+
hmdmBEpguZes9u8hWP9uHWXrvIzEQ6l0ite8kMR4TpWzsYldRSUHQE2gb1jzLhD3
4HrzWNoarTA4HLMN4oST9NINVI3hnFj5J5GjvChlZx03joJtYB766L4JXv0Dgken
0Ymuj74+hZb4MyU=
-----END CERTIFICATE-----
My signed NSX Manager certificate:
-----BEGIN CERTIFICATE-----
MIIGeTCCBWGgAwIBAgITFQAAAAcoijk1vCmmjwAAAAAABzANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZ
MBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjgwNzQ0MDVaFw0yNDA4
MjcwNzQ0MDVaMHsxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UEBxMJ
Um90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1Y2F0
aW9uMSEwHwYDVQQDExhwb2QtMTIwLW5zeHQtbG0uc2RkYy5sYWIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMNjWR3bWdNj2Ws+5jcgYHjOBXpEWGWDMs
tW859ZsGai8m4CsZCwl97/3F6aMxlAlN6zYX/nD3GIEEKgxgqDM8uBG92qPlPneA
8EFCz0jkEo4DTVQtdKDKVKl/Vtv/PHVnd4yprV5R5b93nDHnHAHf3PtkUaRrjdft
FZjD8TEi+KzQNb1gw5ygrC2MoXHDChFNzM4gt8yVuFf/DJQNtnX3JgDE4KZLQFjY
+Q9UBXm4UQU42elsPyHtjtDoIz1MtOqC6c1DS0zwGQNZ9mUfTEJI7VXJl9p8vkSc
Np9tRWWGsgYUoRqzxjqD5p9y3fQaE232tfx+/89G95MEDTIRgqaZAgMBAAGjggMp
MIIDJTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATCBwwYDVR0RBIG7MIG4gg9wb2QtMTIwLW5zeHQtbG2CGHBvZC0xMjAt
bnN4dC1sbS5zZGRjLmxhYoIRcG9kLTEyMC1uc3h0LWxtLTGCGnBvZC0xMjAtbnN4
dC1sbS0xLnNkZGMubGFighFwb2QtMTIwLW5zeHQtbG0tMoIacG9kLTEyMC1uc3h0
LWxtLTIuc2RkYy5sYWKCEXBvZC0xMjAtbnN4dC1sbS0zghpwb2QtMTIwLW5zeHQt
bG0tMy5zZGRjLmxhYjAdBgNVHQ4EFgQUUv2kmeQz0NtmpD7btzGkuVE7NUowHwYD
VR0jBBgwFoAUyVRAF8yzvcU1juxL1yieBWW5RL4wgcwGA1UdHwSBxDCBwTCBvqCB
u6CBuIaBtWxkYXA6Ly8vQ049c2RkYy1TVEVQLVdJTi1DQSxDTj1zdGVwLXdpbixD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb8G
CCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6Ly8vQ049c2RkYy1T
VEVQLVdJTi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA8
BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiDnLVrgYbjMsGfO4PXsUeGxrUDZoOJ
ySGBwLV3AgFkAgECMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI
hvcNAQELBQADggEBADlUm4WRnCT7VPk3n3ZbpdB9fZ3kyxCHGp1uHF2TUSVzbwyY
iyDw8KP+KDISLqvrN5XP1bW+ea6nIzdDJ7DvvdJFZPgwFjZUenk1Z8ndZ9kE5ObE
Jy2OuNFB8Ze0SXEwJFMkrKwV+X+GGPdn/08lrW60+XLiTpV6Ih5UcyUxKaWXI3ww
2/Pqma7EH8fpXUgDyEQMi2ienhrdsuBNv+lICYNbnobI+JuOKYlcuTOJZXBqi0dV
DoX2ypHtg5ZAB2HHlGifBl5/CTpocy9XPrUn5tMJSJEPJalSezYaviCYwgcSh0Vc
NGGweT6mxK9rlUTG6QG7I0Rl5LGaNJkasOXrLks=
-----END CERTIFICATE-----
My full chain (signed + root):
-----BEGIN CERTIFICATE-----
MIIGeTCCBWGgAwIBAgITFQAAAAcoijk1vCmmjwAAAAAABzANBgkqhkiG9w0BAQsF
ADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZ
MBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjgwNzQ0MDVaFw0yNDA4
MjcwNzQ0MDVaMHsxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UEBxMJ
Um90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1Y2F0
aW9uMSEwHwYDVQQDExhwb2QtMTIwLW5zeHQtbG0uc2RkYy5sYWIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMNjWR3bWdNj2Ws+5jcgYHjOBXpEWGWDMs
tW859ZsGai8m4CsZCwl97/3F6aMxlAlN6zYX/nD3GIEEKgxgqDM8uBG92qPlPneA
8EFCz0jkEo4DTVQtdKDKVKl/Vtv/PHVnd4yprV5R5b93nDHnHAHf3PtkUaRrjdft
FZjD8TEi+KzQNb1gw5ygrC2MoXHDChFNzM4gt8yVuFf/DJQNtnX3JgDE4KZLQFjY
+Q9UBXm4UQU42elsPyHtjtDoIz1MtOqC6c1DS0zwGQNZ9mUfTEJI7VXJl9p8vkSc
Np9tRWWGsgYUoRqzxjqD5p9y3fQaE232tfx+/89G95MEDTIRgqaZAgMBAAGjggMp
MIIDJTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATCBwwYDVR0RBIG7MIG4gg9wb2QtMTIwLW5zeHQtbG2CGHBvZC0xMjAt
bnN4dC1sbS5zZGRjLmxhYoIRcG9kLTEyMC1uc3h0LWxtLTGCGnBvZC0xMjAtbnN4
dC1sbS0xLnNkZGMubGFighFwb2QtMTIwLW5zeHQtbG0tMoIacG9kLTEyMC1uc3h0
LWxtLTIuc2RkYy5sYWKCEXBvZC0xMjAtbnN4dC1sbS0zghpwb2QtMTIwLW5zeHQt
bG0tMy5zZGRjLmxhYjAdBgNVHQ4EFgQUUv2kmeQz0NtmpD7btzGkuVE7NUowHwYD
VR0jBBgwFoAUyVRAF8yzvcU1juxL1yieBWW5RL4wgcwGA1UdHwSBxDCBwTCBvqCB
u6CBuIaBtWxkYXA6Ly8vQ049c2RkYy1TVEVQLVdJTi1DQSxDTj1zdGVwLXdpbixD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb8G
CCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6Ly8vQ049c2RkYy1T
VEVQLVdJTi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049
U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jQUNlcnRp
ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA8
BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiDnLVrgYbjMsGfO4PXsUeGxrUDZoOJ
ySGBwLV3AgFkAgECMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI
hvcNAQELBQADggEBADlUm4WRnCT7VPk3n3ZbpdB9fZ3kyxCHGp1uHF2TUSVzbwyY
iyDw8KP+KDISLqvrN5XP1bW+ea6nIzdDJ7DvvdJFZPgwFjZUenk1Z8ndZ9kE5ObE
Jy2OuNFB8Ze0SXEwJFMkrKwV+X+GGPdn/08lrW60+XLiTpV6Ih5UcyUxKaWXI3ww
2/Pqma7EH8fpXUgDyEQMi2ienhrdsuBNv+lICYNbnobI+JuOKYlcuTOJZXBqi0dV
DoX2ypHtg5ZAB2HHlGifBl5/CTpocy9XPrUn5tMJSJEPJalSezYaviCYwgcSh0Vc
NGGweT6mxK9rlUTG6QG7I0Rl5LGaNJkasOXrLks=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDZzCCAk+gAwIBAgIQd/ljrMxM2KdEfl18Se05DjANBgkqhkiG9w0BAQsFADBG
MRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZMBcG
A1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjYxNTIzNTVaFw0yNzA4MjYx
NTMzNTRaMEYxEzARBgoJkiaJk/IsZAEZFgNsYWIxFDASBgoJkiaJk/IsZAEZFgRz
ZGRjMRkwFwYDVQQDExBzZGRjLVNURVAtV0lOLUNBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwlBBvULlPuXESTG+rfekm7TApKqp+Sr2rVgT84Yi8dZy
bcE0/Q8ewuJZp6n3htUhwe94PELKMMvJ6jKdZL6t7gKtkGgdp1u5OMQpg+C6Nk9o
w5stxftTh87Y+azUsBvv+9Enti9/3ycaV05NqCUKhwypoAvwD/Vp5N+H5r+uSKOw
kkuaj0sRpF1eJyp1RRM9glB5Fx8/fPA5sw95Hl/Okqtivolwp3Os8hNa9ea1xbUZ
5CVZ+evs1FRTjR75W9MmRFuGrHgKmLj++YyhfUazEkMJAjSCI2H7ZuV3XEsAA9oR
+ItMO4j5luT3ymc8qEs7uS4HlvOEpctsD3CAkBtlSQIDAQABo1EwTzALBgNVHQ8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyVRAF8yzvcU1juxL1yie
BWW5RL4wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAAJ2Q/ep
iznW0BREzfPnK5hCKDwnNYMt3aFoRwJtlISRfWjli7oy3I0VMIauot6bD1r6Q2Ab
DNZTcxe8BJDflPFzu+sIlYhiJzq7F2dUYaJp8s5vbkq6Lpfn9BFqOfsOIj87OmVP
i+2p/n+cpomTry4EmPoGtVHc5/JZVrBY0JcUmEZKYr6HgqzIvgF1J7mLq1LnlYU+
hmdmBEpguZes9u8hWP9uHWXrvIzEQ6l0ite8kMR4TpWzsYldRSUHQE2gb1jzLhD3
4HrzWNoarTA4HLMN4oST9NINVI3hnFj5J5GjvChlZx03joJtYB766L4JXv0Dgken
0Ymuj74+hZb4MyU=
-----END CERTIFICATE-----

I need to import this signed (full chain) certificate into the NSX Manager Nodes with the private key that was generated when I created the CSR).

Go to System → Settings → Certificates → Import → Certificate.

My Private Key (from when I created the CSR)
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDKCS8suICy1J1C
iBw2pziJ69h2ZXneGHeOJ2UXG9FbvymlboWrLTNtavE4JEgycDykiC1K+fuNpVVG
MB+Nu9PGuwy/HylWqXW5znBw991kyd8ZSOpDGdiIVbbMMsJtb38SF4hdSNzLywEQ
tT2Ybou8WUrgZ14c+epxuod5Rl1KTnjqymXSMU0PL8zXEjic0gQwmGHEHGftG9ci
qqlGlni17VjaQ1gknds32Dmocy2ILOBZI/+9LpObmoA/k7gcKb3I/lT60RACXz2y
a71ND80pEZharm0JXgSJIB5ipdLKePdGe4e45VCS6AWB01ebQ4MPNuWSp+fPVomw
wceesGt3AgMBAAECggEBAKv/T6MB28bizJKkb2hzyeVY3CpHT42tRLLHhP88VmqF
/r1wrulAjOScw4jpEnGmLWpg6DZJRUecNlGPjH1MJwmrmjlnHPlDQQ8S2ZTC3z77
wSu0cIL5kObYGcwTdoRWBFbxo8zOx/HS/DAuK6cGjX2mguEx/uQqOtXhV43+QlOL
oKBaOnWLAwOQDr4Dv9GUeA+E+WA69CtG9KAcmuwF0mFLHBpuXuGSF3m+11U/kPaq
vessMnOC16RRBvKvgJvNU3KxWKBKQHUpi+cOuX525ZohpAprMPOvo3LIecCpMnKF
F8Ar9dYmUdu8Ca2nu/JZw8L6Dvtf1suuSMyFUiNwlakCgYEA9CDSgKyUhDchN42R
Q4TAlSaKGvX+1hNZxNQ4XZaY8Aw0aObBrmClI1u5KyhcV5+wi3GxFlYvxS6f5now
/zMVy62F6t6HpRtjkdXmY7MJci6VUkTF2w6qoswb4QPAnoy7/29RSSvZKL1dAmgx
9lZAYPSnlCJB1ML9rNB9e/y6BIUCgYEA09xZn8Mpa7Odmz9CnHMMyZBMURGEdmgJ
9CMwz1y3hIvyNANMLMOo4BwlcFCyOZlYszuLWek1OCe8rwjyldcKj7M1l6Ix5OH4
+Rqq8dpMFIq+SBOgggRQtTaFpMPLUzbOpVzsJ3rj+G+TYk+DuPGylWI1VwocT4ja
SjWF6TVOXssCgYEAhZdceet2zi847yR6BH+lvzi6xGwvCsjGC+6x9YzOnjWfjHQS
MrFSTNoJpzNL7OtG+de6N2XseDO+bqoZG93BpJaNPOyPP+uP/iMWEyLLHX+eWMmn
l+sbt0CIVQbvphOPYQVybt8e06tkNUf9ZzblvejDt01TxvD5TlM9B9dRl90CgYEA
t6Ex/YvHBxbz8G/waHJADyUHQO0SBx8+IWGvGMygND6oe/Svvc0JPtamjKclE0+a
1h8yNYgxHK80l/IFcWKmQM9wEDIBVQWYKzG2IVK4xsVLEGYSpR7gZXEQfTNHtKS4
kBPujHmzxs3OzVNmNJMp2tj4qqyUxUs1CUVDAFO3zekCgYAmlWGAaCOlLecHKKk+
apMLGu5OYLDWZ843v8y21jJebmrMlnFidZPJ6+kZdrPXVsyiRdOjdSNImp7Hneqf
A4CRwgkqWrdPHZOuQifG8WlA8WLgQkEr54lMnAYF4Jwx3FllEMnOu3PUib6g3ovw
5GcnTOO5MbssYbnnmGM+5uHO4g==
-----END PRIVATE KEY-----

Untitled%204.png

Open the signed certificate file and the root certificate in a notepad create one single output (based on the order provided above) and copy/paste the content over in the “Certificate Contents” field.

Also open the private key file in a notepad and copy/paste the content over in the “Private key” field.

Untitled%205.png

Verify if the signed certificate is imported correctly.

Untitled%206.png

Make note of the certificate ID (that I will use in the API requests to assign (replace) the existing certificates):

b9ace4da-9d9a-4d55-800c-fc7fdf294f28

STEP 3: Activate/Assign/Replace the CA-signed certificate

Before I start it is good to look at the starting point.

When I access all the NSX Manager Nodes using the FQDN the browser provides a “Not secure” message in front of the URL.

Untitled%207.png

The certificate ID:
3eb60477-d00d-45a5-a783-80660d6d0d44

All the commands below are done with API requests performed using postman. The API request information was retrieved from the NSX API Guide.

Before this can be done please complete Use Postman to perform API requests on NSX.

Verify if the certificate is available and valid for usage

GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate
GET https://{{hostname-vip}}/api/v1/trust-management/certificates/b9ace4da-9d9a-4d55-800c-fc7fdf294f28?action=validate

Untitled%208.png

Activate/Assign/Replace the NSX Node certificates

NSX Local Manager Node 1

POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=3eb60477-d00d-45a5-a783-80660d6d0d4
POST https://{{hostname-lm1}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28

The output of Postman after I executed the API request.

Untitled%209.png

NSX Local Manager Node 2

POST https://{{hostname-lm2}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28

The output of Postman after I executed the API request.

Untitled%2010.png

NSX Local Manager Node 3

POST https://{{hostname-lm3}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28

The output of Postman after I executed the API request.

Untitled%2011.png

Activate/Assign/Replace the NSX VIP certificate

POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac
POST https://{{hostname-vip}}/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28

The output of Postman after I executed the API request.

Untitled%2012.png

When I access all the NSX Manager Nodes now using the FQDN the browser provides a lock sign in front of the URL and the “Not secure” message is disappeared.

I are using valid certificates now.

Untitled%2013.png