In my last post on the NSX SSL certificate rotation, I discussed the types of certificates in NSX and why you should use a certificate with a SAN attribute. The ability to generate a CSR with Subject Alternative Names was first introduced in NSX v4.2. Before NSX v4.2, creating certificates with SAN attributes was possible only through API. This post is focused on demonstrating the certificate generation and replacement procedure through API.
Step 1: Create Certificate Signing Request
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
Method: POST URL: https://{nsx_mgr}/api/v1/trust-management/csrs Headers: Accept: application/json, content-type: application/json Authentication: Basic Payload: { "display_name": "<certificate-name>", "key_size": 2048, "algorithm": "RSA", "subject": { "attributes": [ { "key": "CN", "value": "<nsx-mgr-vip-fqdn>" }, { "key": "O", "value": "Cloud" }, { "key": "OU", "value": "Network-Engineering" }, { "key": "L", "value": "Toronto" }, { "key": "ST", "value": "Ontario" }, { "key": "C", "value": "CA" } ] }, "is_ca": false, "extensions": { "subject_alt_names": { "dns_names": [ "<nsx-mgr-vip-fqdn>", "<nsx-mgr01-fqdn>", "<nsx-mgr02-fqdn>", "<nsx-mgr03-fqdn>" ], "ip_addresses": [ "<nsx-mgr-vip>", "<nsx-mgr01-ip>", "<nsx-mgr02-ip>", "<nsx-mgr03-ip>" ] } } } |
Step 2: Fetch the ID of the CSR
The CSR ID can be fetched from the response output of the previous API or using the GET call as shown below.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Method: GET URL: https://{nsx_mgr}/api/v1/trust-management/csrs Response: 200 OK ------- snipped output -------------- { "results":[ { "is_ca":false, "extensions":{ "subject_alt_names":{ "dns_names":[ ], "ip_addresses":[ ] } }, "resource_type":"csr", "id":"6b5e3a8e-f3f7-4ada-9a66-0c3c8deb6e16", "display_name":"certificate-name" } ], "result_count":1 } |
Step 3: Extract the CSR’s PEM Content
Save the extracted content of the CSR in a text editor and save the file with a PEM extension.
|
1 2 3 4 5 6 7 8 9 10 11 |
Method: GET URL: https://{{nsx_mgr}}/api/v1/trust-management/csrs/<csr-id>/pem-file ------- snipped output ----------- -----BEGIN CERTIFICATE REQUEST----- MIIFsjCCA5oCAQAwgYYxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMRAw DgYDVQQHEwdUb3JvbnRvMR0wGwYDVQQLExRQbGF0Zm9ybSBFbmdpbmVlcmluZzEN Cyh5YdBZMLLI7TUrKSc8wvST8rLhYQ== -----END CERTIFICATE REQUEST----- |
Step 4: Request Signed Certificate
Send the PEM file to the registrar/CA server and ask the registrar for the signed certificate (NSX) and certificate authority root/intermediate certificate.
Step 5: Create Certificate Chain
Create a new PEM file by appending the contents of the signed certificate followed by the content of the root/intermediate certificate.
|
1 2 3 4 5 6 7 8 9 10 |
-----BEGIN CERTIFICATE----- MIIIVjCCBj6gAwIBAgITYgAAANVtTqSxkoMK/gAAAAAA1TANBgkqhkiG9w0BAQsF ADBhMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRjaWJj MRIwEAYKCZImiZPyLGQBGRYCcWExHjAcBgNVBAMTFXFhLUNCU0NDLVFBLUNFUlQw -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFnTCCA4WgAwIBAgIQc5OjwGaCp5NP4MGKPHINzDANBgkqhkiG9w0BAQsFADBh MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRjaWJjMRIw EAYKCZImiZPyLGQBGRYCcWExHjAcBgNVBAMTFXFhLUNCU0NDLVFBLUNFUlQwMS1D -----END CERTIFICATE----- |
Step 6: Upload Signed Certificate
|
1 2 3 4 5 6 7 8 9 |
Method: POST URL: https://{nsx_mgr}/api/v1/trust-management/csrs/{csr-id}?action=upload Header: Content-Type: multipart/form-data Body: file: filename |
If you are using Postman, you can attach the PEM file as shown below
The response output of the above API call returns the ID of the signed certificate.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "results":[ { "pem_encoded":"-----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxx -----END CERTIFICATE-----", "has_private_key":true, "used_by":[ ], "leaf_certificate_sha_256_thumbprint":"47:01:B6:6B:58:3B:B4:C5:C1:18:A7:E1:C3:24:2D:E2:8F:1C:5A:70", "category":"UNUSED_CERTIFICATE", "resource_type":"certificate_signed", "id":"bbe87152-2288-441e-9a7f-ee1da58a5afa", <---- certificate id "display_name":"certificate-name" } ] } |
Step 7: Validate the Signed Certificate
|
1 2 3 4 5 6 7 8 9 |
Method: GET URL: https://{nsx_mgr}/api/v1/trust-management/certificates/{signed-cert-id}?action=validate Response: If the certificate is valid, the response output reads OK { "status" : "OK" } |
Step 8: Apply the Signed Certificate
Apply certificate to NSX Cluster VIP
|
1 2 3 |
Method: POST URL: https://{nsx_mgr}/api/v1/trust-management/certificates/{signed-cert-id}?action=apply_certificate&service_type=MGMT_CLUSTER |
Apply certificate to NSX Manager nodes
|
1 2 3 |
Method: POST URL: https://{nsx_mgr}/api/v1/trust-management/certificates/{{signed-cert-id}}?action=apply_certificate&service_type=API&node_id={node-id} |
Node IDs can be fetched using the below GET call
|
1 2 3 4 5 |
GET https://{{nsx_mgr}}/api/v1/cluster/nodes/ or GET https://{nsx-mgr-fqdn}/api/v1/cluster/status |
Step 9 (Optional): Delete CSR
|
1 2 3 |
Method: DELETE URL: https://{nsx_mgr}/api/v1/trust-management/csrs/{csr-id} |
And that’s it for this post.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.