In this post We will learn how to view generate self-signed certificate for NSX and replace the certificates after getting them signed from CA. We will be doing this via Rest API.
I wrote a post in past on how to replace SSL certs for NSX from GUI. In this post I am trying to achieve the same via Rest API
Following are the API queries which you need to execute in order to generate and replace certs.
Generate CSR Certificate
# curl -k -u “admin:passwd” -d @csr.xml -X PUT https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/csr/nsx
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<?xml version="1.0" encoding="UTF-8"?> <csr> <algorithm>RSA</algorithm> <keySize>4096</keySize> <subjectDto> <commonName>nsxmgr.alex.local</commonName> <organizationUnit>Cloud</organizationUnit> <organizationName>Alex.Co</organizationName> <localityName>Bangalore</localityName> <stateName>Karnataka</stateName> <countryCode>IN</countryCode> </subjectDto> </csr> |
Download CSR Certificate
# curl -k -u “admin:passwd” -X GET https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/csr/nsx
Note: If you have not generated the csr yet and try to download the csr certificate, you are going to get below error
1 2 3 4 5 6 7 8 |
<?xml version="1.0" encoding="UTF-8"?> <errors> <error> <details>CSR is not yet generated.</details> <errorCode>150919</errorCode> <moduleName>vsm-appliance-mgmt</moduleName> </error> </errors> |
Upload Certificate Chain
Once you recieve the signed certificate from your certification authority, you can apply the cert to NSX manager using below API call
# curl -k -u “admin:passwd” -X PUT https://NSX-Manager-IP-Address/api/1.0/appliance-management/certificatemanager/uploadchain/nsx
Query Certificates
Once you have replaced the ssl certificates on NSX, you can query the installed certificate using below API call
# curl -k -u “admin:passwd” -X GET https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/certificates/nsx | xmllint –format –
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
<?xml version="1.0" encoding="UTF-8"?> <x509Certificates> <x509certificate> <subjectCn>nsxmgr.alex.local</subjectCn> <issuerCn>CASRV01-CA</issuerCn> <version>3</version> <serialNumber>5a0000001e3a9535ac14ccfe8800000000001e</serialNumber> <signatureAlgo>SHA256WITHRSA</signatureAlgo> <signature>ac 70 3c 9a 78 81 28 4d 54 3d 2e d3 71 8f 9f 05 b1 13 41 a0 4f 60 b5 2a c5 fb 84 57 04 32 05 6c a1 48 f6 19 de ee 69 53 91 8d b0 d0 c2 03 68 41 06 9d 08 0e 31 41 ef 02 6c c7 2c 2e 3a 5a 45 1e 7e d0 2d b4 ba 47 c2 93 7c 93 5a 2e b3 e6 0a 65 c5 a8 34 58 40 07 3c cc 10 5e e2 42 96 bb 93 9a 77 e8 d5 68 af 62 45 74 73 b0 44 6b c5 39 19 86 99 34 55 58 b2 81 65 f0 7f d4 f4 d1 65 b4 86 4d 89 f4 05 64 cc 2c d6 4f 1d f8 92 1d ab 3d b4 ba 9b 01 06 11 9b a9 16 12 d7 83 7e 11 2c 25 31 d4 6f 44 f3 41 9c d6 9d 7e 42 3f 5d 02 11 31 47 4d 0b 2d 0c 83 b0 ed 57 02 a7 46 78 01 13 b2 3e d7 0c dd 02 54 b5 a0 12 44 7d c3 2c df e9 23 15 8e f1 72 b0 d2 e4 67 1b eb 75 99 55 a9 a1 9a 0f 31 5a 00 cb e0 8c 4f 49 c4 9a ec 8c 60 51 3f f5 06 dd 11 ca 93 e1 01 16 53 53 0f ae 30 25 d3 9f a6 38 b0 fb af 58 fb ed 7b b6 48 f4 4c 19 cb 6b 1d 9f af d1 72 94 b2 ca 46 29 af 3d 15 bc c1 f6 d7 38 ee 98 d2 17 5f 77 87 25 22 6d 09 ce 5a ae 64 3e 23 f3 78 06 c6 6e e3 7a c6 04 86 e6 09 79 f8 01 af d1 84 1d 9f 5d 98 64 59 55 7c 8a 37 f5 46 99 17 16 24 cd 76 53 db db f3 90 d2 b3 5b 90 b8 24 4f 8f 81 a5 2c 07 89 62 8d 99 27 54 b8 f8 26 a5 b0 b1 b1 91 73 8c 69 d4 21 ac 45 31 b1 23 b8 06 fa 7d 22 06 5c c0 18 02 0c c0 34 fb 98 6f 58 1f 5c db 38 ad b6 60 55 9e 69 e7 42 41 6e 82 35 66 b7 94 6c 9d 71 48 4e ae 5d f9 8f e7 36 ce 9a e8 03 4c a6 0b f2 19 53 b7 fb 76 87 ea ad 39 db 14 8b 72 31 77 2f 3b 74 50 7a 5d 1c fa 77 de 01 c3 6b e8 62 b7 e1 23 a1 77 a8 3c 33 66 f2 38 9a a3 e7 dd 74 6e 28 b5 65 63 7a 02 3b d5 0a c7 04 d7 8f b3 c4 4f a4 51 fa a0 ec 95 c3 c4 2a b2 b6</signature> <notBefore>1490284036000</notBefore> <notAfter>1553356636000</notAfter> <issuer>CN=CASRV01-CA,DC=alex,DC=local</issuer> <subject>CN=nsxmgr.alex.local,OU=Cloud,O=Alex.Co,L=Bangalore,ST=Karnataka,C=IN</subject> <publicKeyAlgo>RSA</publicKeyAlgo> <publicKeyLength>2048</publicKeyLength> <rsaPublicKeyExponent>10001</rsaPublicKeyExponent> <sha1Hash>3a:22:5a:78:51:43:52:04:3f:0f:0b:25:1e:02:15:cc:57:95:76:be</sha1Hash> <md5Hash>3f:e6:f6:e4:28:e4:07:30:25:b3:b1:b8:22:d7:95:7a</md5Hash> <isCa>false</isCa> <isValid>true</isValid> </x509certificate> <x509certificate> <subjectCn>CASRV01-CA</subjectCn> <issuerCn>CASRV01-CA</issuerCn> <version>3</version> <serialNumber>379322e692faa1af4dd54387d6400ff1</serialNumber> <notBefore>1465810241000</notBefore> <notAfter>1623577238000</notAfter> <issuer>CN=CASRV01-CA,DC=alex,DC=local</issuer> <subject>CN=CASRV01-CA,DC=alex,DC=local</subject> <publicKeyAlgo>RSA</publicKeyAlgo> <publicKeyLength>4096</publicKeyLength> <rsaPublicKeyExponent>10001</rsaPublicKeyExponent> <sha1Hash>84:7b:5c:2d:65:0a:c8:3e:76:ad:96:23:42:9b:e3:d7:4c:83:6b:cb</sha1Hash> <md5Hash>7e:63:cb:3e:a0:4f:93:a9:8f:ef:d4:1e:18:84:ca:48</md5Hash> <isCa>true</isCa> <isValid>true</isValid> </x509certificate> </x509Certificates> |
Sources and Additional Reading
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable