NSX Manager SSL certificate replacement with CA

During my study for the VCIX-NV exam I was writing a post on using the REST API client in Google Chrome when I hit an issue connecting to my NSX Manager via the API call. The error message that I received was below.
 

Could not get any response
This seems to be like an error connecting to https://nsxmanager.vcloud.local/api/2.0/services/ssoconfig. The response status was 0.
Check out the W3C XMLHttpRequest Level 2 spec for more details about when this happens.

 
After checking the certificate on NSX Manager, I noticed that the certificate showed localhost rather than the actual hostname for the NSX Manager, which in my case is nsxmanager.vcloud.local
 
To resolve this I had to implement a new CA signed certificate on the NSX Appliance so I thought I would document the process for anyone that was experiencing similar issues, or just wanted to replace their NSX Mamanger Certificate with a CA certificate.
 
Step 1. Log into the NSX Manager Web interface and navigate to Manage -> SSL Certificates and select Generate CSR Fill out the appropriate information as shown below.
 
5
 
Step 2. Then select the Download CSR button to save your signing request. The download does not give you a .csr file but instead gives you a file with the type “File.”
 
7
 
Step 3. Open the certificate with Notepad and you should see something similar to:
 

-----BEGIN CERTIFICATE REQUEST-----
MIICtjCCAZ4CAQAwczEgMB4GA1UEAwwXbnN4bWFuYWdlci52Y2xvdWQubG9jYWwx
DzANBgNVBAoMBlZNd2FyZTEPMA0GA1UECwwGVk13YXJlMRMwEQYDVQQHDApCcm9v
bWZpZWxkMQswCQYDVQQIDAJDTzELMAkGA890-81UEBhMCVVMwggEiMA0GCSqGSIb
AQUAA4IBDwAwggEKAoIBAQDFz1m5j2B4F9CLX68sL867uRHmjivrFy1lWrC+OuZ+
BUlFgGf3vS86x5+qsfqhmMjd7868ZYeD3AWbF5Tt78sZauipAYERLoN2eFQOAwGM
T5fiG4nKjapsMm1Ok2mVr4Wx5345hLQ/1rf5cY/GSF0ACoZq6I3M7WFWQsJIF07+
6zSJgNPu3N5vb+6NiH9PHVcKOv5p5Fjsgp+u8H5YTZ23ljhuXnNE4opfVtTeRTVj
rK9/vZpSo/YWOWGObmmZaNi6oARbvY1w5QexMDLnzbaNwq1L/VCkqcjPWa7rqg7W
ET8daRDtq8irQzKEYtus0SnmOYtPN786QR/lsAKWz5WtZRAgMBAAEwDQYJKoZIhv
AQELBQADggEBAAOWpE4LZFNjyaM3ihDDqfOrZNBp3CIhrUCJjNKdgqVHdwGqGIu1
WtMHppu89EMHF6riON+TQ68qBd1itUBYypX78VdjWbzWNO6helYvBf6kXzb5UE5M
02o7C85OOFHK6IEg+HP9tY9FfjPEKyurp80OCpiHEcQEem4Z08H7StN9AIy93N/5
r2bRcQJYOUkVHVLpExCvoCmsCQz6i2H09uitPOdAbqGEYIGe5Rl3B303kf2FXWLM
E5K0jBXHkvEs6e63ZbeFQPtA9m6fYFXg6mw=
-----END CERTIFICATE REQUEST-----

 
Step 4. Copy paste the entire contents of that file and go get the certificate signed by your CA. If you have an Internal Microsoft CA, I have provided the steps below. First log into your Microsoft Active Directory Certificate Server Web Server by navigating to http://FQDN_or_IP/certsrv I used local host as I was on the Active Directory CA server. Click on Request a certificate
 
8
 
Step 5. Select advanced certificate request
 
9
 
Step 6. Paste the contents from your NSX Certificate Signing Request (CSR), Select your Certificate Template then click Submit
 
10
 
Step 7. Select Base 64 encoded and Download certificate chain
 
11
 
Step 8. Open up the chain file and drill down to Certificates
 
12
 
Step 9. Right Click on the nsxmanager certificate and select All Tasks -> Export
 
13
 
Step 10. Click Next on the Wizard, then select Base-64 encoded X.509 (.CER) and hit Next
 
14
 
Step 11. Provide a File Name (I used nsxmanager.cer) then hit Next then Finish
 
15
 
Step 12. Follow the same steps above to export your root certificate (I named mine root.cer).
 
16
 
Step 13. You should now have an nsxmanager.cer and a root.cer. You will need to combine these two files to a file called chain.cer. You can do that by opening a command prompt, navigating to the directory, and running the following command.
 

copy nsxmanager.cer+root.cer chain.cer

 
Step 14. Once you have the chain.cer log back into the NSX Manager Web Interface and select Import and provide your chain.cer file. You should now see your new certificate and root certificate as show below.
 
18
 
Step 15. In order for my certificate to show up properly, I had to reboot NSX Manager. Once that was complete, I could see the trusted certificate.
 
6
 
Phew! Now I can get back to NSX REST API calls and studying for my VCIX-NV exam next week. If you haven’t already been following the progress, I have a lot of good information up for studying here. Let me know if you have any questions or run into any problems that I may be able to help you out with during your NSX Manager certificate replacement!
 

Posted by:

Sean Whitney

1 Comment

  1. Rob Irwin -  April 13, 2016 - 2:51 am 453

    Useful article, Two questions.

    1: What are the details of the certificate template ‘VMWare’ you used on your certsrv?

    2: Can the intermediary authority on my external PSC be used instead?

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top