![\"image\"](\"https:\/\/robinplomp.com\/wp-content\/uploads\/2022\/09\/image_thumb-5.png\" "\\"image\\"")
A customer send out the request to take a look at a few alarms they received in the NSX Manager console. The alarm they received was about a expiring certificate for local manager. <\/p>\nA customer send out the request to take a look at a few alarms they received in the NSX Manager console. The alarm they received was about a expiring certificate for local manager. <\/p>\n
We did some investigating from the NSX Manager and it was clear that this was a self-signed (not linked to the company own PKI infrastructure) and it was in use. This last comment means we have to use the Application Programing Interface <\/strong>(API) to tell NSX to use the new certificate.<\/p>\n Since this is a production environment we don\u2019t do anything before we have verified that a recent backup of the NSX database is available. Please take note that a VMware snapshot is not supported the restore a NSX Manager Cluster. It is best practice to have a scheduled NSX Manager backup schedule. Before we start working on the environment we create a manual backup of the NSX database.<\/p>\n <\/p>\n When we have verified that we have a recent backup we move to the certificate node (Click system > click certificates > click the certificates tab) to verify which certificate we need to update. <\/p>\n Under certificates we move to the tab CSR and select Generate CSR> Generate CSR.<\/p>\n In the following screen we need to collect data for the new certificate.<\/p>\n Under the tab CSR we see our new request.<\/p>\n By selecting this line we choose Self Sign Certificate for CSR from the context menu.<\/p>\n In the following window we can choose how long the certificate is valid and indicate if this is a service certificate (which it is not).<\/p>\n The certificate is now created, but we are not finished we have to tell NSX to use the new certificate. To create the API calls to configure this we need the have the certificate ID. <\/p>\n We are able to locate this information from the NSX Manager UI.<\/p>\n For the next phase we need Postman.<\/p>\n Create the following command: Enter your credentials for the NSX Manager on the authorization tab.<\/p>\n On tab header add key Content-Type, with value application\/json<\/p>\n On tab Body, choose raw and select format JSON<\/p>\n Add the folowing lines<\/p>\n { \u201ccert_id\u201d: \u201c<id>\u201d,<\/strong><\/p>\n \u201cservice_type\u201d: \u201cLOCAL_MANAGER\u201d }<\/strong><\/p>\n Now you are ready to click send. If you entered everything correctly you will see the following message: Next we return to the certificate node. Notice that the new certificate is valid and in use.<\/p>\n You can now remove the expired certificate.<\/p>\n","protected":false},"excerpt":{"rendered":" A customer send out the request to take a look at a few alarms they received in the NSX Manager console. The alarm they received was about a expiring certificate for local manager. We did some investigating from the NSX Manager and it was clear that this was a self-signed (not linked to the company … Lees verder Replace Local Manager Certificate<\/span> ![\"image\"](\"https:\/\/robinplomp.com\/wp-content\/uploads\/2023\/03\/image.png\" "\\"image\\"")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
POST https:\/\/<nsx-mgr.fqdn>\/api\/v1\/trust-management\/certificates?action=set_pi_certificate_for_federation<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n