Learning NSX-Part-11-Replacing NSX default SSL Certficates with CA Signed Certificates


I am a big advocate of not using the default SSL certs on any VMware products and I prefer using Signed certs from my CA server on my lab components. I have my CA server running in Windows Server 2012.

Earlier in my lab I had replaced the vSphere (Esxi + vCenter) SSL certs and if you want to know how to do it, you can read them from below links:

1: Replacing Esxi SSL Certificates

2: Replacing vCenter Server SSL Certs

If you are like me and new to replacing SSL certs and looking for how to setup a CA server, you can read it from Here for a step by step installation/configuration of CA server.

1: Introduction to VMware NSX

2: Installing and Configuring NSX Manager

3: Deploying NSX Controllers

4: Preparing Esxi Hosts and Cluster

5: Configure VXLAN on the ESXi Hosts

6: Logical Switching

7: Distributed Logical Router Tidbits

8: Installing Distributed Logical Router

9: NSX Edge Services Gateway

10: Upgrade NSX Manager From 6.2 to 6.2.4

All right lets dive into lab and look into how to replace the default SSL certs of VMware NSX.

Before starting with certs replacement, we need to create a customized certificate template in CA server prior to submitting the Certificate Signing Request (CSR) created on the NSX Manager.

You can follow VMware KB-2112009 to learn how to create certificate template. I have already created mine when I replaced SSL certs in my vSphere 6 infrastructure.

1: Login to NSX manager with the admin user. At the top you can see the Red triangle sign which indicates that certificate is not a signed cert.

nsx-ssl1

2: Go to Manage > SSL Certificates and click on Generate CSR

nsx-ssl2

3: Populate the information needed to generate CSR and hit OK

nsx-ssl3

4: Now you download the CSR by clicking on ‘Download CSR’ button.

nsx-ssl4

Note: The download does not give you a .csr file but instead gives you a file with the type “File.”

5: Open the downloaded file in a notepad. It should look like below. Copy entire contents from this file including –Begin Certificate Request— and —End Certificate Request— line

nsx-ssl5

6: Login to your CA server by browsing https://FQDN_or_IP/certsrv and click on “Request a certificate”

nsx-ssl6

7: Click on advanced certificate request.

nsx-ssl7

8: Paste the content which you copied in step 5 under Saved Request and select the correct Certificate Template and hit Submit.

nsx-ssl8

9: Select Base 64 encoded and click on Download certificate chain

nsx-ssl9

10: Right click on downloaded chain file and select open, then drill down to certificates directory and in right hand side you will see your cert.

Right click on the cert which corresponds to NSX and click on Export.

nsx-ssl10

11: Select Base-64 encoded X.509 in Certificate Export Wizard and hit Next.

nsx-ssl11

13: Save the file as .cer file on your computer.

nsx-ssl12

nsx-ssl13

14: Now we need to download CA Server root certificate. From the CA Server webpage click on home on right hand side upper corner and click on “Download a CA certificate” option.

nsx-ssl14

15: Select Base 64 option and click on “Download CA certificate

nsx-ssl15

16: At this point you should have 2 .cer files

nsx-ssl16

We need to join these file to create a single .cer file. You can use below command to do that

copy nsxmgr.cer+Root64.cer  new.cer

17: Once you have the new.cer file, log back into the NSX Manager Web Interface and select Import and provide your new.cer file.

nsx-ssl17

Browse to the location where you have stored your new.cer file and hit Import buttonnsx-ssl18

You should now see your new certificate and root certificate as show below. Also the NSX Web UI will display a message that appliance needs a reboot for new certs to take effect.

nsx-ssl19

18: Reboot the NSX appliance. Once NSX manager is UP again, log back into the UI and you should see the certificate is now showing in green color. If its shows red eve after appliance reboot just refresh the page and you should immediately see red changing to green.

nsx-ssl20

 

And that’s it. We have successfully replaced the default self-signed certificate of NSX manager with a signed certificate obtained from our Certificate Authority.

I hope this post is informational to you. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in NSX. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s