Replacing NSX-T Certificate with Custom Certificate

                               Replacing NSX-T Certificate with Custom Certificate.

 

As part of best practice, it is always recommended to replace VMware self-signed Platform certificates with your organization's CA signed certificate.

To do the same we need to create a Certificate Signing Request for the NSX Manager.

NSX-T Data Center deployment install VMware self-signed certificated by default. The same can be checked by navigating to System > Certificates to view the platform certificates created by the system.

By default, these are self-signed X.509 RSA 2048/SHA256 certificates for internal communication within NSX-T Data Center and for external authentication when NSX Manager is accessed using APIs or the UI.

 

To replace the VMware self-signed certificate with the custom cert there are four main steps:

 

1). Generate CSR.

2). Request the certificate from Certificate Authority.

3). Import Certificate

4). Validate and Replace the certificate on each cluster and each nsx node.

 

Generating CSR

Generating CSR can be performed by GUI and CLI(Openssl). But if you generate it via GUI from NSX manager you will get CSR with only that NSX Manager CN Name and you cannot add SAN (Subject Alternative Name). It is recommended that you use a single common CA-signed certificate with a SAN (Subject Alternative Names) list that matches all the nodes and VIP for the cluster and that can be only done via CLI.

 

First let’s see the steps which are available in GUI, with no option to add SAN as follows:

1). Login to NSX-T and go to System.

 


 

2). Navigate to system tab, click on tab CSR and then click on Generate CSR.



3). A new pop window will open and fill all the fields in the window as per your organization approved details.





 

4). Once the details are saved, than you can download the CSR file and upload to your organization approved CA request tool to get the certificate with key.



 

Now let’s see the steps to generate the CSR using openssl via CLI.

To use openssl, use any server which has the open ssl utility or you can also use the same by login to vcenter via ssh and generating the CSR from there.

1). The key thing to remember is for CLI we need to create a configuration file e,g nsx-certs.cnf and that configuration file content will be like this:

 

[ req ]

default_bits = 2048

distinguished_name = req_distinguished_name

req_extensions = req_ext

prompt = no

x509_extensions = SAN

 

[ req_distinguished_name ]

countryName = AU

stateOrProvinceName = New South Wales

localityName = Sydney

organizationName = GREG TEST CORP

organizationalUnitName = Testing Services

commonName = vmnsx01.test.gregtestcorp.com

 

[ SAN ]

basicConstraints = CA:false

subjectKeyIdentifier = hash

authorityKeyIdentifier=keyid:always,issuer:always

 

[ req_ext ]

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = vmnsx01.test.gregtestcorp.com

DNS.2 = vmnsx01a.test.gregtestcorp.com

DNS.3 = vmnsx01b.test.gregtestcorp.com

DNS.4 = vmnsx01c.test.gregtestcorp.com

IP.1 = 10.xx.xx.01

IP.2 = 10.xx.xx.02

IP.3 = 10.xx.xx.03

IP.4 = 10.xx.xx.04

 

 

2). Login to any server with openssl or you can ssh to the vcenter server.

Using Winscp upload the file to the vcenter temp directory(e.g /cert) and run the below command from the vcenter server.

 

/usr/bin/openssl req -out nsxt.csr -newkey rsa:2048 -nodes -keyout nsxt.key -config nsx-certs.cnf -sha256

 



 

3). To read the key file and csr file under /usr/bin directly, you can use below command

 

cat nsxt.csr

cat nsxt.key

 

you can also you winscp and can extract the csr and key file to read it via notepad on your workstation.

 



 

Requesting Certificate and Key from Certificate Authority

 

Since we have the CSR and Key, please raise a request to your company CA Request tool by uploading the CSR.

 

If the CA server is not yet deployed in your organization, than a one can be created by following Microsoft and VMware resources from below link:

 

https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

https://docs.vmware.com/en/VMware-Validated-Design/6.2/sddc-deployment-of-the-management-domain-in-the-first-region/GUID-8C4CA6F7-CEE8-45C9-83B4-09DD3EC5FFB0.html

 

 

Importing Certificate

 

1). Login to NSX Manager and go to Systems Tab and under that click Certificates and select Import certificate. It will prompt a new window to Import certificate.

 



 



 

2). In the Import Certificate window give the Name as per your Organization standards.

 

Please note that Service Certificate option is enabled by default but please disable the toggle switch to NO.

 

Certificate Content and Private key we had already generated/requested in previous steps.

The key thing to remember here is that the certificate contents is not just the certificate content of your certificate, it is actually the certificate chain like below.

 

-----BEGIN CERTIFICATE-----

SERVER CERTIFICATE

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

INTERMEDIATE CERTIFICATE (INCASE IF YOU HAVE ONE)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

ROOT CERTIFICATE

-----END CERTIFICATE-----


Replace the Certificate on each NSX node.

Once the certificate is imported we need to activate the same for each NSX Manager node including VIP.

 

1). Firstly, from the system’s tab of nsx manager, under the certificate, select the certificate you uploaded and copy the certificate id.

 



 

2). Secondly, before replacing the certificate it is always recommended to validate the certificate. To check there is no error with it and it can be done from the below api using any API tool or directly from the vcenter server.

curl -k -X GET -u 'admin:<NSX MANAGER ADMIN PASSWORD>' 'https://<NSX MANAGER FQDN>/api/v1/trust-management/certificates/<CERTIFICATE ID>?action=validate'



3). Lastly, to replace the certificate run the below api using any API tool or directly from the vcenter server.

To replace it on the nsx-t manager nodes run below api from vcenter, Do this on each node.

curl -k -X POST -u 'admin:<NSX MANAGER ADMIN PASSWORD>' 'https://<NSX MANAGER FQDN>/api/v1/node/services/http?action=apply_certificate&certificate_id=<CERTIFICATE ID>'



To replace it on the nsx-t cluster/VIP run below api

curl -k -X POST -u 'admin:<NSX MANAGER ADMIN PASSWORD>' 'https://<NSX MANAGER FQDN>/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<CERTIFICATE ID>'


    

Comments

Post a Comment

Popular posts from this blog

Troubleshooting NonVMwareDevice Filtering in VMware SRM using Dell EMC SRDF SRA.

Image
    Troubleshooting NonVMwareDevice Filtering in VMware SRM using Dell EMC SRDF SRA. Problem description:  While running device discovery in VMware SRM while using DELL EMC SRDF SRA, it shows all the replicated devices not just the VMware devices.     In this post, I will like to highlight about my experience which I had faced while configuring VMware SRM with DELL EMC SRDF SRA.   For those who are not aware what these products are, I will like to take some time in giving a brief indroduction about the same.   VMware SRM: VMware provides the VMware Site Recovery Manager (SRM) as part of its vSphere suite, which lets you automate backups and orchestrate the recovery of entire data centers from a disaster recovery site. SRM can be used both on-premises and as a Disaster Recovery as a Service (DRaaS).   Dell EMC SRDF SRA:   SRDF: The Symmetrix Remote Data Facility (SRDF) is a family of software products that facilitates the data replication from one Symmetrix storage array
Read more

VMware vRealize Automation 7.x Troubleshooting Infra issues

Image
Troubleshooting Infra Issues in vRA 7.x     To manually troubleshoot vRA issues, we must know what all things we need to check.   1). In the vRA portal one should check the status of all the services whether the status is registered, fail or blank.   https://vRAserver_name:5480   If the status is registered than all good but if it is showing failed then it seems something is wrong with that service. If the status of service is blank it means that the service is responding but not correctly. XML link to check why services are not running are as follows:   https://vRA/component-registry/services/status/current?page=1&limit=50   2) If in the vra page one is giving Error 503 then please check below things to isolate that: -->IIS Pools -->SQL DB Connectivity -->Certificate Issues -->Service Account Issues -->Service Dependency   3). Service which need to checked to monitor load balancing is "shell-ui-app" and it can be c
Read more