VMware Networking Community
Petersaints
Enthusiast
Enthusiast
‎11-27-2022 05:44 AM
Jump to solution

NSX-T 3.1 renew self signed certificates

Hello all,

Need to renew the NSX-T certificates. I will use self signed ones. I have a cluster with 3 managers.

I notice that the actual certificates of mp-cluster and the tomcat certificate for node 1, are issued to the hostname of manager one, and not to the fqdn. For node2 and node 3 the certificates are issued for the fqdns.

My question is:

When i generate new certificates, in this case for node1 and mp-cluster, should i use the fqdn, or only the hostname?

Thanks.

Regards.

 

0 Kudos
1 Solution

Accepted Solutions
engyak
Enthusiast
Enthusiast
‎11-27-2022 10:14 AM
Jump to solution

If you can, issue a certificate to the FQDN of the vIP and add the individual host names as Subject Alternative Names (SANs) along with the vIP ID. You should have 4 total SANs, unless you have the ability to also add the IP address (then it should be 😎

This will allow your NSX managers to authenticate either when addressed individually or as a cluster member.

View solution in original post

2 Replies
engyak
Enthusiast
Enthusiast
‎11-27-2022 10:14 AM
Jump to solution

If you can, issue a certificate to the FQDN of the vIP and add the individual host names as Subject Alternative Names (SANs) along with the vIP ID. You should have 4 total SANs, unless you have the ability to also add the IP address (then it should be 😎

This will allow your NSX managers to authenticate either when addressed individually or as a cluster member.

salarmehdizadeh
Contributor
Contributor
‎02-01-2023 12:01 AM
Jump to solution

Hello,

1. Can we extend the duration of an expired certificate?
2. You advised entering SAN (VIP and three manager nodes with FQDN) for a certificate, but in the CSR generating process we only can enter the Common name, there is no section for entering SAN?

0 Kudos