Generating and Registering the NSX Manager Certificate for PKS
Page last updated:
This topic describes how to generate and register the NSX Manager certificate authority (CA) certificate in preparation for installing Pivotal Container Service (PKS) on vSphere with NSX-T.
Before you begin this procedure, ensure that you have successfully completed all preceding steps for installing PKS on vSphere with NSX-T, including:
- Deploy NSX-T for PKS
- Create PKS Management Plane
- Create PKS Compute Plane
- Deploy Ops Manager with NSX-T for PKS
The NSX Manager CA certificate is used to authenticate with the NSX Manager. You create an IP-based, self-signed certificate and register it with the NSX Manager. During PKS installation on vSphere with NSX-T, you provide this certificate in the NSX Manager CA Cert field in the Networking pane in the PKS tile.
See the NSX Manager CA Cert field in the following screenshot:
For configuration information, see the Networking section of Installing PKS on vSphere with NSX-T.
By default, the NSX Manager includes a self-signed API certificate with its hostname as the subject and issuer. Ops Manager requires strict certificate validation and expects the subject and issuer of the self-signed certificate to be either the IP address or fully qualified domain name (FQDN) of the NSX Manager. As a result, you need to regenerate the self-signed certificate using the FQDN of the NSX Manager in the subject and issuer field and then register the certificate with the NSX Manager using the NSX API.
The Disable SSL certificate verification option lets you disable validation of the NSX Manager CA certificate. Select this option for testing purposes only.
Note: If you disable SSL certificate verification, leave the CA certificate field blank. If you enter text in this field when SSL certificate verification is disabled, the PKS installation fails. If you populate the CA certificate field and later decide to disable SSL certificate verification, you must remove the certificate.
Complete the following steps to generate a self-signed CA certificate for the NSX Manager:
Create a file for the certificate request parameters named
Copy the following parameters and paste them into the file, replacing
NSX-MANAGER-IP-ADDRESSwith the IP address of your NSX Manager, and
NSX-MANAGER-COMMONNAMEwith the FQDN of the NSX Manager host:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = CA organizationName = NSX commonName = NSX-MANAGER-COMMONNAME [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = NSX-MANAGER-COMMONNAME,NSX-MANAGER-IP-ADDRESS
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = Palo-Alto organizationName = NSX commonName = nsxmgr-01a.example.com [ req_ext ] subjectAltName=DNS:nsxmgr-01a.example.com,IP:192.0.2.40
NSX_MANAGER_COMMONNAMEenvironment variables using the IP address of your NSX Manager and the FQDN of the NSX Manager host.
$ export NSX_MANAGER_IP_ADDRESS=192.0.2.40 $ export NSX_MANAGER_COMMONNAME=nsxmgr-01a.example.com
Generate the certificate using openssl. Run the following command:
$ openssl req -newkey rsa:2048 -x509 -nodes \ -keyout nsx.key -new -out nsx.crt -subj /CN=$NSX_MANAGER_COMMONNAME \ -reqexts SAN -extensions SAN -config <(cat ./nsx-cert.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:$NSX_MANAGER_COMMONNAME,IP:$NSX_MANAGER_IP_ADDRESS")) -sha256 -days 365
Verify that the certificate looks correct and that the NSX manager IP is in the Subject Alternative Name (SAN) by running the following command:
$ openssl x509 -in nsx.crt -text -noout
In this section you import the self-signed CA certificate you generated in the previous step to the NSX Manager.
Complete the following steps to import the certificate to the NSX Manager:
Log in to the NSX Manager UI.
Navigate to System > Trust > Certificates.
Click Import > Import Certificate.
Note: Make sure you select Import Certificate and not Import CA Certificate.
Give the certificate a unique name, such as
Note: Use a unique name for the new certificate you import. The default NSX Manager CA certificate is typically named
Browse to and select the CA certificate and private key you generated in the previous section of steps.
The last step is to exchange the default CA certificate with the new CA certificate you generated. You must use the NSX API.
Complete the following steps to register the certificate with the NSX Manager:
Get the ID of the certificate. Run the following command, replacing
ADMIN-PASSWORDwith the administrator password, and
CERTIFICATE-NAMEwith the certificate name:
curl --insecure -u admin:'ADMIN-PASSWORD' -X \ GET "https://$NSX_MANAGER_IP_ADDRESS/api/v1/trust-management/certificates" \ | jq -r '.results | select(.display_name == "CERTIFICATE-NAME") | .id'
Register the certificate with NSX Manager, replacing
CERTIFICATE-IDwith the certificate ID, and
ADMIN-PASSWORDwith the administrator password:
export CERTIFICATE_ID="CERTIFICATE-ID" curl --insecure -u admin:'ADMIN-PASSWORD' -X \ POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/node/services/http?action=apply_certificate&certificate_id=$CERTIFICATE_ID"
Please send any feedback you have to email@example.com.