Hello daphnissov,

Thanks for your answer. Do you have a detailed guide on how to generate the certificate and supply the certificate so I can follow? For NSX-V, the instructions are very clear but couldn't find a good one o NSX-T!

Best,

NetRock

Use the CertGen tool as detailed here. For some basic usage that I show (although it's pretty much covered in that KB), you can refer to one of my blog posts here.

Hmm, I've just tried to replace a test NSX-T 3 manager certificate and failed.

What I did:

-went to nsx manager ui system/certificates page and generated a CSR.

No options there, just a not so evident field description of "name" and "common name". I guess name is just an alias.

-took that CSR and generated a cert. (no, I'm not using windows CA)

-imported the cert (fullfilled the CSR) and imported the CA cert (root cert)

-resynched certs (because of an alert, i.e. start search resync manager)

-got new cert ID

-tried to assign that ID to https service via REST (v1/node/services/http?action=apply_certificate)

That last step responded with

What probably happened is whatever system you used to generate this cert from the CSR did not sign it as a server/machine certificate. You need to look at what template/settings were used on your CA to sign this cert.

Indeed, the signing left out some requested extensions!

Certificate Request:

    Data:

        Version: 1 (0x0)

        Subject: C = AR, ST = Buenos Aires, L = Martinez, OU = Training, O = Trace On Consulting, CN = nsx.ba.ar

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:ba:91:9c:19:6e:a6:29:6b:2e:57:3e:a0:70:06:

..

                    1b:45

                Exponent: 65537 (0x10001)

        Attributes:

        Requested Extensions:

            X509v3 Extended Key Usage: critical

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 Basic Constraints: critical

                CA:FALSE

    Signature Algorithm: sha256WithRSAEncryption

         9a:7e:92:01:13:19:00:94:a3:63:23:49:30:f9:fd:2c:5f:11:

  ..

         e9:94:54:56

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number:

            f4:e0:62:72:67:54:ed:e0

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = AR, ST = Buenos Aires, L = Martinez, O = Trace On Consulting, CN = TestCA, emailAddress = tron@huapi.ba.ar

        Validity

            Not Before: Jun 23 12:15:35 2020 GMT

            Not After : Jun 21 12:15:35 2030 GMT

        Subject: C = AR, ST = Buenos Aires, L = Martinez, OU = Training, O = Trace On Consulting, CN = nsx.ba.ar

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:ba:91:9c:19:6e:a6:29:6b:2e:57:3e:a0:70:06:

...

                    1b:45

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha256WithRSAEncryption

         12:17:e9:3b:4a:db:4c:77:60:9d:7e:75:c9:65:d7:2a:2b:40:

   ,,,

         8a:d5:19:9e

Thanks.

Now it does not like the cert.

It seems that you can not do a new cert w/o changing the RSA key ? Because I have not specified a key when signing an NSX generated CSR.

What's the point of having a CSR page if the cart can not be matched to the actual key ?

Is there a document that baby steps the changing of the node certs ?

This all started because aparently vcenter does not trust NSX when trying to deploy workload management (i.e. vsphere for K8S) and I'm trying to make that trust relation.

I generally do not use the CSR function provided by NSX-T Manager, but it should work. Whenever you generate a new CSR, a new private key is typically generated. So I'd just start the process over and get the CSR signed again, add the CA cert to NSX Manager first, then add the machine cert. This is 3.0 so you need to enable trust before adding the compute manager.

Well, that was the order. I had already loaded the CA and rerun the CSR/sign/import cycle.

The imported cert does not validate. The apply_certificate says it can not be validated by itself (?) and the validate method says the key does not match.

I'll import a cert/key pair... I'll have to dig into the trust management framework. Any pointers ?

Thanks again!

I mean, it's a fairly straightforward process but I don't quite know everything that you did, how, and in what order. It seems whatever CA and signing system you used it doesn't like, which is usually where this process breaks down. The process is well documented for Microsoft CAs, but you're not using that. The other thing to check is that the cert you pass it needs to contain the full chain with the machine cert at the top followed by any intermediate certs, and finally the root CA. This was a change compared to 2.5 if I remember correctly. Also check and ensure the cert you're signing using a modulus and signing algorithm which is supported. Check the docs for that info.

Ah, I'm not returning a chain, just the cert. That sounds like it.

It would be nice for the UI to ask for a chain though

Now it rejects for lack of CDP for CRL checking. Argh. I've found a KB that talks about disabling it (VMware Knowledge Base ),

but REST fails:

That was my bad, I was using POST instead of PUT.

After that, cert was finally accepted.

Thanks++.

Yes, after being pointed in that direction.

That's what AFAIK is called a certificate chain. Thanks.