In my last post on the NSX SSL certificate rotation, I discussed the types of certificates in NSX and why you should use a certificate with a SAN attribute. The ability to generate a CSR with Subject Alternative Names was first introduced in NSX v4.2. Before NSX v4.2, creating certificates with SAN attributes was possible only through API. This post is focused on demonstrating the certificate generation and replacement procedure through API.
Step 1: Create Certificate Signing Request
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
Method: POST URL: https://{nsx_mgr}/api/v1/trust-management/csrs Headers: Accept: application/json, content-type: application/json Authentication: Basic Payload: { "display_name": "<certificate-name>", "key_size": 2048, "algorithm": "RSA", "subject": { "attributes": [ { "key": "CN", "value": "<nsx-mgr-vip-fqdn>" }, { "key": "O", "value": "Cloud" }, { "key": "OU", "value": "Network-Engineering" }, { "key": "L", "value": "Toronto" }, { "key": "ST", "value": "Ontario" }, { "key": "C", "value": "CA" } ] }, "is_ca": false, "extensions": { "subject_alt_names": { "dns_names": [ "<nsx-mgr-vip-fqdn>", "<nsx-mgr01-fqdn>", "<nsx-mgr02-fqdn>", "<nsx-mgr03-fqdn>" ], "ip_addresses": [ "<nsx-mgr-vip>", "<nsx-mgr01-ip>", "<nsx-mgr02-ip>", "<nsx-mgr03-ip>" ] } } } |
Step 2: Fetch the ID of the CSR
The CSR ID can be fetched from the response output of the previous API or using the GET call as shown below.