LATEST VERSION: v1.2 - RELEASE NOTES
Pivotal Container Service v1.2

Generating and Registering the NSX Manager Certificate for PKS

Page last updated:

This topic describes how to generate and register the NSX Manager certificate authority (CA) certificate in preparation for installing Pivotal Container Service (PKS) on vSphere with NSX-T.

Prerequisites

Before you begin this procedure, ensure that you have successfully completed all preceding steps for installing PKS on vSphere with NSX-T, including:

About the NSX Manager CA Certificate

The NSX Manager CA certificate is used to authenticate with the NSX Manager. You create an IP-based, self-signed certificate and register it with the NSX Manager. During PKS installation on vSphere with NSX-T, you provide this certificate in the NSX Manager CA Cert field in the Networking pane in the PKS tile.

See the NSX Manager CA Cert field in the following screenshot:

NSX Manager CA certificate configuration

For configuration information, see the Networking section of Installing PKS on vSphere with NSX-T.

By default, the NSX Manager includes a self-signed API certificate with its hostname as the subject and issuer. Ops Manager requires strict certificate validation and expects the subject and issuer of the self-signed certificate to be either the IP address or fully qualified domain name (FQDN) of the NSX Manager. As a result, you need to regenerate the self-signed certificate using the FQDN of the NSX Manager in the subject and issuer field and then register the certificate with the NSX Manager using the NSX API.

The Disable SSL certificate verification option lets you disable validation of the NSX Manager CA certificate. Select this option for testing purposes only.

Note: If you disable SSL certificate verification, leave the CA certificate field blank. If you enter text in this field when SSL certificate verification is disabled, the PKS installation fails. If you populate the CA certificate field and later decide to disable SSL certificate verification, you must remove the certificate.

Step 1: Generate a Self-Signed CA Certificate for the NSX Manager

Complete the following steps to generate a self-signed CA certificate for the NSX Manager:

  1. Create a file for the certificate request parameters named nsx-cert.cnf.

  2. Copy the following parameters and paste them into the file, replacing NSX-MANAGER-IP-ADDRESS with the IP address of your NSX Manager, and NSX-MANAGER-COMMONNAME with the FQDN of the NSX Manager host:

    [ req ]
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = CA
    organizationName = NSX
    commonName = NSX-MANAGER-COMMONNAME
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = NSX-MANAGER-COMMONNAME,NSX-MANAGER-IP-ADDRESS
    

    For example:

    [ req ]
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = Palo-Alto
    organizationName = NSX
    commonName = nsxmgr-01a.example.com
    [ req_ext ]
    subjectAltName=DNS:nsxmgr-01a.example.com,IP:192.0.2.40
    
  3. Export the NSX_MANAGER_IP_ADDRESS and NSX_MANAGER_COMMONNAME environment variables using the IP address of your NSX Manager and the FQDN of the NSX Manager host.

    For example:

    $ export NSX_MANAGER_IP_ADDRESS=192.0.2.40
    $ export NSX_MANAGER_COMMONNAME=nsxmgr-01a.example.com
    

  4. Generate the certificate using openssl. Run the following command:

    $ openssl req -newkey rsa:2048 -x509 -nodes \
    -keyout nsx.key -new -out nsx.crt -subj /CN=$NSX_MANAGER_COMMONNAME \
    -reqexts SAN -extensions SAN -config <(cat ./nsx-cert.cnf \
     <(printf "[SAN]\nsubjectAltName=DNS:$NSX_MANAGER_COMMONNAME,IP:$NSX_MANAGER_IP_ADDRESS")) -sha256 -days 365
    

  5. Verify that the certificate looks correct and that the NSX manager IP is in the Subject Alternative Name (SAN) by running the following command:

    $ openssl x509 -in nsx.crt -text -noout
    

Step 2: Import the Certificate to NSX Manager

In this section you import the self-signed CA certificate you generated in the previous step to the NSX Manager.

Complete the following steps to import the certificate to the NSX Manager:

  1. Log in to the NSX Manager UI.

  2. Navigate to System > Trust > Certificates.

  3. Click Import > Import Certificate.

    Import the NSX Manager CA certificate to the NSX Manager

    Note: Make sure you select Import Certificate and not Import CA Certificate.

  4. Give the certificate a unique name, such as NSX-API-CERT-NEW.

    Note: Use a unique name for the new certificate you import. The default NSX Manager CA certificate is typically named NSX-API-CERT.

  5. Browse to and select the CA certificate and private key you generated in the previous section of steps.

  6. Click Save.

    Import the NSX Manager CA certificate to the NSX Manager

Step 3: Register the Certificate with NSX Manager

The last step is to exchange the default CA certificate with the new CA certificate you generated. You must use the NSX API.

Complete the following steps to register the certificate with the NSX Manager:

  1. Get the ID of the certificate. Run the following command, replacing ADMIN-PASSWORD with the administrator password, and CERTIFICATE-NAME with the certificate name:

    curl --insecure -u admin:'ADMIN-PASSWORD' -X \
    GET "https://$NSX_MANAGER_IP_ADDRESS/api/v1/trust-management/certificates" \
    | jq -r '.results[] | select(.display_name == "CERTIFICATE-NAME") | .id'
    
  2. Register the certificate with NSX Manager, replacing CERTIFICATE-ID with the certificate ID, and ADMIN-PASSWORD with the administrator password:

    export CERTIFICATE_ID="CERTIFICATE-ID" curl --insecure -u admin:'ADMIN-PASSWORD' -X \
    POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/node/services/http?action=apply_certificate&certificate_id=$CERTIFICATE_ID"
    

Next Step

Configure BOSH Director with NSX-T for PKS.


Please send any feedback you have to pks-feedback@pivotal.io.

Create a pull request or raise an issue on the source for this page in GitHub