Generate and Register the NSX-T Management TLS Certificate and Private Key

Page last updated:

This topic provides instructions for installing and configuring NSX-T Data Center v3 for use with VMware Tanzu Kubernetes Grid Integrated Edition on vSphere.

Prerequisites

Before completing this section, make sure you have completed the following sections:

Generate and Register the NSX-T Management TLS Certificate and Private Key

A SSL certificate is automatically created for each NSX-T Manager. You can verify this by SSHing to one of the NSX Manager nodes and running the following command.

nsx-manager-1> get certificate cluster

You will see that Subject Alternative Name (SAN) listed in the certificate is the hostname of the appliance, for example SAN=nsx-manager-1. This means the cluster certificate is linked to a particular NSX Manager, in this case NSX-T Manager 1.

If you go to System > Certificates, you will see there is no certificate for the NSX-T manager VIP. As such you need to generate a new SSL certificate that uses the NSX-T Management VIP address so that the the cluster certificate contains SAN=VIP-ADDRESS.

Complete the following steps to generate and register a SSL certificate and private key that uses the VIP address. The following steps assume that you are working on a Linux host where OpenSSL is installed.

Generate the SSL Certificate and Private Key

  1. Create a certificate signing request file named nsx-cert.cnf and populate it with the contents below.

    [ req ]
    default_bits = 2048
    default_md = sha256
    prompt = no
    distinguished_name = req_distinguished_name
    x509_extensions = SAN
    req_extensions = v3_ca
    
    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = California
    localityName = CA
    organizationName = NSX
    commonName = VIP-ADDRESS  #CAN ONLY USE IF SAN IS ALSO USED
    
    [ SAN ]
    basicConstraints = CA:false
    subjectKeyIdentifier = hash
    authorityKeyIdentifier=keyid:always,issuer:always
    
    [ v3_ca ]
    subjectAltName = DNS:NSX-VIP-FQDN,IP:VIP-ADDRESS  #MUST USE
    

    Where:

    • NSX-VIP-FQDN is your NSX VIP FQDN.
    • VIP-ADDRESS is the VIP address for the NSX-T Management cluster.

    Note: At a minimum you must use the SAN field for identifying the NSX Management VIP. You can also use the CN field, as long as the SAN field is populated. If you use only the CN field, the certificate will not be valid for TKGI.

  2. Copy the nsx-cert.cnf file to a machine with openssl if yours does not have it.

  3. Use OpenSSL to generate the SSL certificate and private key.

    openssl req -newkey rsa -nodes -days 1100 -x509 -config nsx-cert.cnf -keyout nsx.key -out nsx.crt
    
  4. Verify that you see the following:

    Generating a 2048 bit RSA private key
    ...............+++
    ................+++
    writing new private key to 'nsx.key'
    
  5. Verify certificate and key generation by running the ls command.

    You should see 3 files: the initial signing request, and the certificate and private key generated by running the signing request.

    nsx-cert.cnf  nsx.crt  nsx.key
    
  6. Run the following command to verify the certificate and private key.

    openssl x509 -in nsx.crt -text -noout
    

    You should see that the Subject Alternative Name (SAN) and common name (CN) (if used) are both the VIP address. For example:

    Subject: C=US, ST=California, L=CA, O=NSX, CN=myvip.mydomain.com
    ...
    X509v3 extensions:
        X509v3 Subject Alternative Name:
            DNS:myvip.mydomain.com, IP Address:10.11.12.13
    

Import the SSL Certificate and Private Key to the NSX-T Management Console

Import certificate and private key to NSX-T by completing the following steps. These steps require populating the NSX-T Management Console fields with the certificate and private key. You can copy/paste the contents, or if you save the nsx.crt and nsx.key files to your local machine, you can import them.

  1. In the NSX-T Management Console, navigate to the System > Certificates page.
  2. Click Import > Import Certificate. The Import Certificate screen is displayed.

    Note: Be sure to select Import Certificate and not Import CA Certificate.

  3. Enter a Name, such as CERT-NSX-T-VIP.
  4. Copy and paste the Certificate Contents from the nsx.crt file. Or, import the nsx.crt file clicking Browse and selecting it.
  5. Copy and paste the Private Key from the nsx.key file. Or, import the nsx.key file by clicking Browse and selecting it.
  6. For the Service Certificate option, make sure to select No.
  7. Click Import.
  8. Verify that you see the certificate in the list of Certificates.

Register the SSL Certificate and Private Key with the NSX-T API Server

To register the imported VIP certificate with the NSX-T Management Cluster Certificate API, complete the following steps:

  1. In the NSX-T Management Console, navigate to the System > Certificates page.
  2. View the UDID of the certificate from the NSX-T Management Console > Certificates screen.
  3. Copy the UUID to the clipboard, such as 170a6d52-5c61-4fef-a9e0-09c6229fe833.
  4. Create the following environment variables. Replace the IP address with your VIP address and the UUID with the UUID of the imported certificate.

    export NSX_MANAGER_IP_ADDRESS=10.173.62.47
    export CERTIFICATE_ID=170a6d52-5c61-4fef-a9e0-09c6229fe833
    
  5. Post the certificate to the NSX-T Manager API.

    curl --insecure -u admin:'VMware1!VMware1!' -X POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=$CERTIFICATE_ID"
    {
      "certificate_id": "170a6d52-5c61-4fef-a9e0-09c6229fe833"
    }
    
  6. Verify by SSHing to one of the NSX-T Management nodes and running the following command.

    The certificate that is returned should match the generated one.

    nsx-manager-1> get certificate cluster
    

Please send any feedback you have to pks-feedback@pivotal.io.