Lab: Replacing the self-signed SSL certificates with CA-signed certificates
From Iwan
⚡
Before this can be done please complete Use Postman to perform API requests on NSX
⚡
Before this can be done please complete Signing the NSX CSR with a Microsoft (root) CA Server.
In this lab I am working with the following software and versions:
| Software | Version | Filename |
|---|---|---|
| VMware NSX | 4.0.0.1 | nsx-unified-appliance-4.0.0.1.0.20159694.ova |
| Postman | v9.29.0 | Postman-win64-Setup.exe |
By default when you deploy the NSX Manager Nodes the Nodes will have self-signed certificates. In an enterprise environment they typically have their own public key infrastructure (PKI).
- Replace all the self-signed SSL certificates with one CA-signed (wildcard) certificate.
- Do this for all NSX Manager Nodes and the NSX Manager VIP address.
The Steps
- STEP 1: Import the root CA certificate
- STEP 2: Import the CA-signed certificate
- STEP 3: Activate/Assign/Replace the CA-signed certificate
STEP 1» Import the root CA certificate
When I prepared the Microsoft CA I exported the root certificate here Configuring a Microsoft Server to be a Root Certificate Authority (CA) in Step 2.
I need to import this root certificate into the NSX Manager Nodes.
Go to System → Settings → Certificates → Import → CA Certificate.
Open the root certificate file in a notepad and copy the content over in the “Certificate Contents” field.
Verify if the root certificate is imported correctly.
STEP 2» Import the CA-signed certificate
Create a full chain with the CA-signed NSX certificate content first and then at the end the CA root certificate
—–BEGIN CERTIFICATE—– NSX-T FQDN Node Certificate —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– CA Root Certificate —–END CERTIFICATE—–
My root certificate:
-----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQd/ljrMxM2KdEfl18Se05DjANBgkqhkiG9w0BAQsFADBG MRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZMBcG A1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjYxNTIzNTVaFw0yNzA4MjYx NTMzNTRaMEYxEzARBgoJkiaJk/IsZAEZFgNsYWIxFDASBgoJkiaJk/IsZAEZFgRz ZGRjMRkwFwYDVQQDExBzZGRjLVNURVAtV0lOLUNBMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAwlBBvULlPuXESTG+rfekm7TApKqp+Sr2rVgT84Yi8dZy bcE0/Q8ewuJZp6n3htUhwe94PELKMMvJ6jKdZL6t7gKtkGgdp1u5OMQpg+C6Nk9o w5stxftTh87Y+azUsBvv+9Enti9/3ycaV05NqCUKhwypoAvwD/Vp5N+H5r+uSKOw kkuaj0sRpF1eJyp1RRM9glB5Fx8/fPA5sw95Hl/Okqtivolwp3Os8hNa9ea1xbUZ 5CVZ+evs1FRTjR75W9MmRFuGrHgKmLj++YyhfUazEkMJAjSCI2H7ZuV3XEsAA9oR +ItMO4j5luT3ymc8qEs7uS4HlvOEpctsD3CAkBtlSQIDAQABo1EwTzALBgNVHQ8E BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyVRAF8yzvcU1juxL1yie BWW5RL4wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAAJ2Q/ep iznW0BREzfPnK5hCKDwnNYMt3aFoRwJtlISRfWjli7oy3I0VMIauot6bD1r6Q2Ab DNZTcxe8BJDflPFzu+sIlYhiJzq7F2dUYaJp8s5vbkq6Lpfn9BFqOfsOIj87OmVP i+2p/n+cpomTry4EmPoGtVHc5/JZVrBY0JcUmEZKYr6HgqzIvgF1J7mLq1LnlYU+ hmdmBEpguZes9u8hWP9uHWXrvIzEQ6l0ite8kMR4TpWzsYldRSUHQE2gb1jzLhD3 4HrzWNoarTA4HLMN4oST9NINVI3hnFj5J5GjvChlZx03joJtYB766L4JXv0Dgken 0Ymuj74+hZb4MyU= -----END CERTIFICATE-----
My signed NSX Manager certificate:
-----BEGIN CERTIFICATE----- MIIGeTCCBWGgAwIBAgITFQAAAAcoijk1vCmmjwAAAAAABzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZ MBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjgwNzQ0MDVaFw0yNDA4 MjcwNzQ0MDVaMHsxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UEBxMJ Um90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1Y2F0 aW9uMSEwHwYDVQQDExhwb2QtMTIwLW5zeHQtbG0uc2RkYy5sYWIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMNjWR3bWdNj2Ws+5jcgYHjOBXpEWGWDMs tW859ZsGai8m4CsZCwl97/3F6aMxlAlN6zYX/nD3GIEEKgxgqDM8uBG92qPlPneA 8EFCz0jkEo4DTVQtdKDKVKl/Vtv/PHVnd4yprV5R5b93nDHnHAHf3PtkUaRrjdft FZjD8TEi+KzQNb1gw5ygrC2MoXHDChFNzM4gt8yVuFf/DJQNtnX3JgDE4KZLQFjY +Q9UBXm4UQU42elsPyHtjtDoIz1MtOqC6c1DS0zwGQNZ9mUfTEJI7VXJl9p8vkSc Np9tRWWGsgYUoRqzxjqD5p9y3fQaE232tfx+/89G95MEDTIRgqaZAgMBAAGjggMp MIIDJTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr BgEFBQcDATCBwwYDVR0RBIG7MIG4gg9wb2QtMTIwLW5zeHQtbG2CGHBvZC0xMjAt bnN4dC1sbS5zZGRjLmxhYoIRcG9kLTEyMC1uc3h0LWxtLTGCGnBvZC0xMjAtbnN4 dC1sbS0xLnNkZGMubGFighFwb2QtMTIwLW5zeHQtbG0tMoIacG9kLTEyMC1uc3h0 LWxtLTIuc2RkYy5sYWKCEXBvZC0xMjAtbnN4dC1sbS0zghpwb2QtMTIwLW5zeHQt bG0tMy5zZGRjLmxhYjAdBgNVHQ4EFgQUUv2kmeQz0NtmpD7btzGkuVE7NUowHwYD VR0jBBgwFoAUyVRAF8yzvcU1juxL1yieBWW5RL4wgcwGA1UdHwSBxDCBwTCBvqCB u6CBuIaBtWxkYXA6Ly8vQ049c2RkYy1TVEVQLVdJTi1DQSxDTj1zdGVwLXdpbixD Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jZXJ0aWZpY2F0ZVJldm9jYXRp b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb8G CCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6Ly8vQ049c2RkYy1T VEVQLVdJTi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049 U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jQUNlcnRp ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA8 BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiDnLVrgYbjMsGfO4PXsUeGxrUDZoOJ ySGBwLV3AgFkAgECMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI hvcNAQELBQADggEBADlUm4WRnCT7VPk3n3ZbpdB9fZ3kyxCHGp1uHF2TUSVzbwyY iyDw8KP+KDISLqvrN5XP1bW+ea6nIzdDJ7DvvdJFZPgwFjZUenk1Z8ndZ9kE5ObE Jy2OuNFB8Ze0SXEwJFMkrKwV+X+GGPdn/08lrW60+XLiTpV6Ih5UcyUxKaWXI3ww 2/Pqma7EH8fpXUgDyEQMi2ienhrdsuBNv+lICYNbnobI+JuOKYlcuTOJZXBqi0dV DoX2ypHtg5ZAB2HHlGifBl5/CTpocy9XPrUn5tMJSJEPJalSezYaviCYwgcSh0Vc NGGweT6mxK9rlUTG6QG7I0Rl5LGaNJkasOXrLks= -----END CERTIFICATE-----
My full chain (signed + root):
-----BEGIN CERTIFICATE----- MIIGeTCCBWGgAwIBAgITFQAAAAcoijk1vCmmjwAAAAAABzANBgkqhkiG9w0BAQsF ADBGMRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZ MBcGA1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjgwNzQ0MDVaFw0yNDA4 MjcwNzQ0MDVaMHsxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJaSDESMBAGA1UEBxMJ Um90dGVyZGFtMRQwEgYDVQQKEwtOU1ggQWNhZGVteTESMBAGA1UECxMJRWR1Y2F0 aW9uMSEwHwYDVQQDExhwb2QtMTIwLW5zeHQtbG0uc2RkYy5sYWIwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMNjWR3bWdNj2Ws+5jcgYHjOBXpEWGWDMs tW859ZsGai8m4CsZCwl97/3F6aMxlAlN6zYX/nD3GIEEKgxgqDM8uBG92qPlPneA 8EFCz0jkEo4DTVQtdKDKVKl/Vtv/PHVnd4yprV5R5b93nDHnHAHf3PtkUaRrjdft FZjD8TEi+KzQNb1gw5ygrC2MoXHDChFNzM4gt8yVuFf/DJQNtnX3JgDE4KZLQFjY +Q9UBXm4UQU42elsPyHtjtDoIz1MtOqC6c1DS0zwGQNZ9mUfTEJI7VXJl9p8vkSc Np9tRWWGsgYUoRqzxjqD5p9y3fQaE232tfx+/89G95MEDTIRgqaZAgMBAAGjggMp MIIDJTAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr BgEFBQcDATCBwwYDVR0RBIG7MIG4gg9wb2QtMTIwLW5zeHQtbG2CGHBvZC0xMjAt bnN4dC1sbS5zZGRjLmxhYoIRcG9kLTEyMC1uc3h0LWxtLTGCGnBvZC0xMjAtbnN4 dC1sbS0xLnNkZGMubGFighFwb2QtMTIwLW5zeHQtbG0tMoIacG9kLTEyMC1uc3h0 LWxtLTIuc2RkYy5sYWKCEXBvZC0xMjAtbnN4dC1sbS0zghpwb2QtMTIwLW5zeHQt bG0tMy5zZGRjLmxhYjAdBgNVHQ4EFgQUUv2kmeQz0NtmpD7btzGkuVE7NUowHwYD VR0jBBgwFoAUyVRAF8yzvcU1juxL1yieBWW5RL4wgcwGA1UdHwSBxDCBwTCBvqCB u6CBuIaBtWxkYXA6Ly8vQ049c2RkYy1TVEVQLVdJTi1DQSxDTj1zdGVwLXdpbixD Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049 Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jZXJ0aWZpY2F0ZVJldm9jYXRp b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgb8G CCsGAQUFBwEBBIGyMIGvMIGsBggrBgEFBQcwAoaBn2xkYXA6Ly8vQ049c2RkYy1T VEVQLVdJTi1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049 U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZGRjLERDPWxhYj9jQUNlcnRp ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA8 BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiDnLVrgYbjMsGfO4PXsUeGxrUDZoOJ ySGBwLV3AgFkAgECMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZI hvcNAQELBQADggEBADlUm4WRnCT7VPk3n3ZbpdB9fZ3kyxCHGp1uHF2TUSVzbwyY iyDw8KP+KDISLqvrN5XP1bW+ea6nIzdDJ7DvvdJFZPgwFjZUenk1Z8ndZ9kE5ObE Jy2OuNFB8Ze0SXEwJFMkrKwV+X+GGPdn/08lrW60+XLiTpV6Ih5UcyUxKaWXI3ww 2/Pqma7EH8fpXUgDyEQMi2ienhrdsuBNv+lICYNbnobI+JuOKYlcuTOJZXBqi0dV DoX2ypHtg5ZAB2HHlGifBl5/CTpocy9XPrUn5tMJSJEPJalSezYaviCYwgcSh0Vc NGGweT6mxK9rlUTG6QG7I0Rl5LGaNJkasOXrLks= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDZzCCAk+gAwIBAgIQd/ljrMxM2KdEfl18Se05DjANBgkqhkiG9w0BAQsFADBG MRMwEQYKCZImiZPyLGQBGRYDbGFiMRQwEgYKCZImiZPyLGQBGRYEc2RkYzEZMBcG A1UEAxMQc2RkYy1TVEVQLVdJTi1DQTAeFw0yMjA4MjYxNTIzNTVaFw0yNzA4MjYx NTMzNTRaMEYxEzARBgoJkiaJk/IsZAEZFgNsYWIxFDASBgoJkiaJk/IsZAEZFgRz ZGRjMRkwFwYDVQQDExBzZGRjLVNURVAtV0lOLUNBMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAwlBBvULlPuXESTG+rfekm7TApKqp+Sr2rVgT84Yi8dZy bcE0/Q8ewuJZp6n3htUhwe94PELKMMvJ6jKdZL6t7gKtkGgdp1u5OMQpg+C6Nk9o w5stxftTh87Y+azUsBvv+9Enti9/3ycaV05NqCUKhwypoAvwD/Vp5N+H5r+uSKOw kkuaj0sRpF1eJyp1RRM9glB5Fx8/fPA5sw95Hl/Okqtivolwp3Os8hNa9ea1xbUZ 5CVZ+evs1FRTjR75W9MmRFuGrHgKmLj++YyhfUazEkMJAjSCI2H7ZuV3XEsAA9oR +ItMO4j5luT3ymc8qEs7uS4HlvOEpctsD3CAkBtlSQIDAQABo1EwTzALBgNVHQ8E BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyVRAF8yzvcU1juxL1yie BWW5RL4wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAAJ2Q/ep iznW0BREzfPnK5hCKDwnNYMt3aFoRwJtlISRfWjli7oy3I0VMIauot6bD1r6Q2Ab DNZTcxe8BJDflPFzu+sIlYhiJzq7F2dUYaJp8s5vbkq6Lpfn9BFqOfsOIj87OmVP i+2p/n+cpomTry4EmPoGtVHc5/JZVrBY0JcUmEZKYr6HgqzIvgF1J7mLq1LnlYU+ hmdmBEpguZes9u8hWP9uHWXrvIzEQ6l0ite8kMR4TpWzsYldRSUHQE2gb1jzLhD3 4HrzWNoarTA4HLMN4oST9NINVI3hnFj5J5GjvChlZx03joJtYB766L4JXv0Dgken 0Ymuj74+hZb4MyU= -----END CERTIFICATE-----
I need to import this signed (full chain) certificate into the NSX Manager Nodes with the private key that was generated when I created the CSR).
Go to System → Settings → Certificates → Import → Certificate.
My Private Key (from when I created the CSR)
-----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDKCS8suICy1J1C iBw2pziJ69h2ZXneGHeOJ2UXG9FbvymlboWrLTNtavE4JEgycDykiC1K+fuNpVVG MB+Nu9PGuwy/HylWqXW5znBw991kyd8ZSOpDGdiIVbbMMsJtb38SF4hdSNzLywEQ tT2Ybou8WUrgZ14c+epxuod5Rl1KTnjqymXSMU0PL8zXEjic0gQwmGHEHGftG9ci qqlGlni17VjaQ1gknds32Dmocy2ILOBZI/+9LpObmoA/k7gcKb3I/lT60RACXz2y a71ND80pEZharm0JXgSJIB5ipdLKePdGe4e45VCS6AWB01ebQ4MPNuWSp+fPVomw wceesGt3AgMBAAECggEBAKv/T6MB28bizJKkb2hzyeVY3CpHT42tRLLHhP88VmqF /r1wrulAjOScw4jpEnGmLWpg6DZJRUecNlGPjH1MJwmrmjlnHPlDQQ8S2ZTC3z77 wSu0cIL5kObYGcwTdoRWBFbxo8zOx/HS/DAuK6cGjX2mguEx/uQqOtXhV43+QlOL oKBaOnWLAwOQDr4Dv9GUeA+E+WA69CtG9KAcmuwF0mFLHBpuXuGSF3m+11U/kPaq vessMnOC16RRBvKvgJvNU3KxWKBKQHUpi+cOuX525ZohpAprMPOvo3LIecCpMnKF F8Ar9dYmUdu8Ca2nu/JZw8L6Dvtf1suuSMyFUiNwlakCgYEA9CDSgKyUhDchN42R Q4TAlSaKGvX+1hNZxNQ4XZaY8Aw0aObBrmClI1u5KyhcV5+wi3GxFlYvxS6f5now /zMVy62F6t6HpRtjkdXmY7MJci6VUkTF2w6qoswb4QPAnoy7/29RSSvZKL1dAmgx 9lZAYPSnlCJB1ML9rNB9e/y6BIUCgYEA09xZn8Mpa7Odmz9CnHMMyZBMURGEdmgJ 9CMwz1y3hIvyNANMLMOo4BwlcFCyOZlYszuLWek1OCe8rwjyldcKj7M1l6Ix5OH4 +Rqq8dpMFIq+SBOgggRQtTaFpMPLUzbOpVzsJ3rj+G+TYk+DuPGylWI1VwocT4ja SjWF6TVOXssCgYEAhZdceet2zi847yR6BH+lvzi6xGwvCsjGC+6x9YzOnjWfjHQS MrFSTNoJpzNL7OtG+de6N2XseDO+bqoZG93BpJaNPOyPP+uP/iMWEyLLHX+eWMmn l+sbt0CIVQbvphOPYQVybt8e06tkNUf9ZzblvejDt01TxvD5TlM9B9dRl90CgYEA t6Ex/YvHBxbz8G/waHJADyUHQO0SBx8+IWGvGMygND6oe/Svvc0JPtamjKclE0+a 1h8yNYgxHK80l/IFcWKmQM9wEDIBVQWYKzG2IVK4xsVLEGYSpR7gZXEQfTNHtKS4 kBPujHmzxs3OzVNmNJMp2tj4qqyUxUs1CUVDAFO3zekCgYAmlWGAaCOlLecHKKk+ apMLGu5OYLDWZ843v8y21jJebmrMlnFidZPJ6+kZdrPXVsyiRdOjdSNImp7Hneqf A4CRwgkqWrdPHZOuQifG8WlA8WLgQkEr54lMnAYF4Jwx3FllEMnOu3PUib6g3ovw 5GcnTOO5MbssYbnnmGM+5uHO4g== -----END PRIVATE KEY-----
Open the signed certificate file and the root certificate in a notepad create one single output (based on the order provided above) and copy/paste the content over in the “Certificate Contents” field.
Also open the private key file in a notepad and copy/paste the content over in the “Private key” field.
Verify if the signed certificate is imported correctly.
Make note of the certificate ID (that I will use in the API requests to assign (replace) the existing certificates):
b9ace4da-9d9a-4d55-800c-fc7fdf294f28
STEP 3» Activate and Assign and Replace the CA-signed certificate
Before I start it is good to look at the starting point.
When I access all the NSX Manager Nodes using the FQDN the browser provides a “Not secure” message in front of the URL.
The certificate ID:
3eb60477-d00d-45a5-a783-80660d6d0d44
All the commands below are done with API requests performed using postman. The API request information was retrieved from the NSX API Guide.
⚡
Before this can be done please complete Use Postman to perform API requests on NSX.
Verify if the certificate is available and valid for usage
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate
GET https://{{hostname-vip}}/api/v1/trust-management/certificates/b9ace4da-9d9a-4d55-800c-fc7fdf294f28?action=validate
Activate and Assign and Replace the NSX Node certificates
NSX Local Manager Node 1
POST https://<nsx-mgr>/api/v1/node/services/http?action=apply_certificate&certificate_id=3eb60477-d00d-45a5-a783-80660d6d0d4
POST https://{{hostname-lm1}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28
The output of Postman after I executed the API request.
NSX Local Manager Node 2
POST https://{{hostname-lm2}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28
The output of Postman after I executed the API request.
NSX Local Manager Node 3
POST https://{{hostname-lm3}}/api/v1/node/services/http?action=apply_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28
The output of Postman after I executed the API request.
Activate and Assign and Replace the NSX VIP certificate
POST https://<nsx-mgr>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=d60c6a07-6e59-4873-8edb-339bf75711ac
POST https://{{hostname-vip}}/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=b9ace4da-9d9a-4d55-800c-fc7fdf294f28
The output of Postman after I executed the API request.
When I access all the NSX Manager Nodes now using the FQDN the browser provides a lock sign in front of the URL and the “Not secure” message is disappeared.
I are using valid certificates now.
