In this blogpost I’ll go over the switch of the certificate regarding the GM Corfu Client.
The steps will be the following:
- Create CSR for GM Corfu Certificate (for every node)
- Self-Sign the CSR created before
- Change certificate with Postman
- Delete old certificate
- Go to CSR -> Generate CSR
- Copy the name from the expired certificate, I leave the rest untouched
- From the CSR list, click on the three dots on the left of the new CSR and then Click on “Self Signe Certificate for CSR”
- Confirm the Self Signed and remember to Disable Service Certificate. This is very IMPORTANT if you leave it enabled when you launch the API Call for Change the certificate it will fail!
The result in the end should be something like this
- At this point you need two things:
- Certificate ID
- Node ID
I’ll use this two piece of information with a specific api call in order to change the certificate.
You can get the Cert ID simply clickling on the arrow on the left, this will expand the details about the certificate, as shown below.
The ID of the node is written directly on the name of the certificate, but you can double check directly on the “Appliances” tab, and check by clicking on the view details for every Manager Node you will see the UUID data.
The following API call must be used in order to change the certificate with method POST:
https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CMB_GM&node_id=node_id
I’ve marked with bold the information that must be inserted by the administrator.
The answer from the POST API call should be 200/ok and then if I look on the NSX UI the result should be that the expired certificate is no longer used, like below.
Then you need to do it for all the three certificates and after that you can delete the old/expired ones.
This method is also applicable for the other certificates expiration that are self signed:
- https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_MP&node_id=node_id
- https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_CLUSTER_MANAGER&node_id=node_id
- https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_AR&node_id=node_id
- https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_MONITORING&node_id=node_id
- https://nsx-vip/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_IDPS_REPORTING&node_id=node_id
