NSX Certifcates Management Cookbook

2 Kudos

Starting with NSX version 4.1, many more certificates are visible in NSX. Those certificates have always been present on the platform, even in previous versions, but it was impossible to lifecycle them. This document will help the reader understand the purpose of all the certificates part of the NSX platform. It will provide examples covering common certificate-related tasks an NSX administrator may tackle while administering NSX.

To make these examples reproducible, they are presented in the form of bash scripts. We opted to use bash for maximum portability. The scripts mainly use curl to perform API calls to the NSX API and use the jq to process the returned JSON data structures. You must install jq on your system to run the sample scripts. You can use your system package manager (i.e., apt or homebrew)

The scripts are provided for educational purposes only. You should perform your validations before leveraging them on production systems.

The current doc applies to NSX version 4.1.1 and later

Note: copy and paste from the PDF doc will lead to formatting errors. All the scripts are available on GitHub for easy copy and paste: https://github.com/vmware-nsx/nsx_certificates_cookbook

Author: NSX Product Team

Fenella128 · ‎11-23-2023

I stumbled upon your NSX Certificates Management Cookbook, and I must say, it's quite the gem for NSX administrators! The effort you've put into breaking down the purpose of each certificate and providing real-world examples is commendable.

I appreciate the choice of using bash scripts with curl and jq—it adds a practical touch and ensures that the examples can be easily replicated across different systems. The emphasis on installing jq for JSON data processing is a nice nod to the nuts and bolts of working with the NSX API.

Your heads-up about the scripts being for educational purposes is spot on, and the reminder to validate before hitting production systems is a responsible touch. It really drives home the importance of due diligence.

And kudos for sharing the GitHub link! It's such a handy move, making it easy for users to track the scripts and even contribute back. That collaborative spirit is always a win.

All in all, your documentation is not just informative but comes off as a genuinely helpful resource. Great work!

ongweijie · ‎11-26-2023

Thanks for the NSX Certificates Management Cookbook! It will come in handy in the future.

zse45rdx · ‎12-07-2023

Hi luca19100,

Thank you for sharing this useful NSX Certificates Management Cookbook!
This really helps me to understand NSX 4.1 certificate feature.

I have a question regarding NSX 4.1 certificate replacement and it would be grateful if you could support.
In our client NSX Federation 4.1 environment, there are two certificates with 825 days validity which are not listed in NSX 4.1 document..
In this cookbook,I found these certificates and I would like to ask you how to update them using API.

These two certificates are:
- CSM-Corfu Client certificate
- GM-Corfu Client certificate

I guess API comamnads to update these certificates are:

- CSM-Corfu Client certificate: Service Type CBM_CSM
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=CBM_CSM&node_id=<node-id>

- GM-Corfu Client certificate: Service Type CBM_GM
POST /api/v1/trust-management/certificates/<cert-id>?action=apply_certificate&service_type=CBM_GM&node_id=<node-id>

Are these API commands correct?

Thanks a lot
Mayumi

ravjyo · ‎12-07-2023

Handy document to keep and read about it... thanks for sharing!