NSX Certificate Management Using Rest API

In this post We will learn how to view generate self-signed certificate for NSX and replace the certificates after getting them signed from CA. We will be doing this via Rest API.

I wrote a post in past on how to replace SSL certs for NSX from GUI. In this post I am trying to achieve the same via Rest API

Following are the API queries which you need to execute in order to generate and replace certs.

Generate CSR Certificate

# curl -k -u “admin:Telstra@123” -d @csr.xml -X PUT https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/csr/nsx

<?xml version="1.0" encoding="UTF-8"?>
<csr>
 <algorithm>RSA</algorithm>
 <keySize>4096</keySize>
 <subjectDto>
 <commonName>nsxmgr.alex.local</commonName>
 <organizationUnit>Cloud</organizationUnit>
 <organizationName>Alex.Co</organizationName>
 <localityName>Bangalore</localityName>
 <stateName>Karnataka</stateName>
 <countryCode>IN</countryCode>
 </subjectDto>
</csr>

Download CSR Certificate

# curl -k -u “admin:Telstra@123” -X GET https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/csr/nsx

Note: If you have not generated the csr yet and try to download the csr certificate, you are going to get below error

<?xml version="1.0" encoding="UTF-8"?>
<errors>
 <error>
 <details>CSR is not yet generated.</details>
 <errorCode>150919</errorCode>
 <moduleName>vsm-appliance-mgmt</moduleName>
 </error>
</errors>

Upload Certificate Chain

Once you recieve the signed certificate from your certification authority, you can apply the cert to NSX manager using below API call

# curl -k -u “admin:Telstra@123” -X PUT https://NSX-Manager-IP-Address/api/1.0/appliance-management/certificatemanager/uploadchain/nsx

Query Certificates

Once you have replaced the ssl certificates on NSX, you can query the installed certificate using below API call

# curl -k -u “admin:Telstra@123” -X GET https://nsxmgr.alex.local/api/1.0/appliance-management/certificatemanager/certificates/nsx | xmllint –format –

<?xml version="1.0" encoding="UTF-8"?>
<x509Certificates>
 <x509certificate>
 <subjectCn>nsxmgr.alex.local</subjectCn>
 <issuerCn>CASRV01-CA</issuerCn>
 <version>3</version>
 <serialNumber>5a0000001e3a9535ac14ccfe8800000000001e</serialNumber>
 <signatureAlgo>SHA256WITHRSA</signatureAlgo>
 <signature>ac 70 3c 9a 78 81 28 4d 54 3d 2e d3 71 8f 9f 05 b1 13 41 a0 4f 60 b5 2a c5 fb 84 57 04 32 05 6c a1 48 f6 19 de ee 69 53 91 8d b0 d0 c2 03 68 41 06 9d 08 0e 31 41 ef 02 6c c7 2c 2e 3a 5a 45 1e 7e d0 2d b4 ba 47 c2 93 7c 93 5a 2e b3 e6 0a 65 c5 a8 34 58 40 07 3c cc 10 5e e2 42 96 bb 93 9a 77 e8 d5 68 af 62 45 74 73 b0 44 6b c5 39 19 86 99 34 55 58 b2 81 65 f0 7f d4 f4 d1 65 b4 86 4d 89 f4 05 64 cc 2c d6 4f 1d f8 92 1d ab 3d b4 ba 9b 01 06 11 9b a9 16 12 d7 83 7e 11 2c 25 31 d4 6f 44 f3 41 9c d6 9d 7e 42 3f 5d 02 11 31 47 4d 0b 2d 0c 83 b0 ed 57 02 a7 46 78 01 13 b2 3e d7 0c dd 02 54 b5 a0 12 44 7d c3 2c df e9 23 15 8e f1 72 b0 d2 e4 67 1b eb 75 99 55 a9 a1 9a 0f 31 5a 00 cb e0 8c 4f 49 c4 9a ec 8c 60 51 3f f5 06 dd 11 ca 93 e1 01 16 53 53 0f ae 30 25 d3 9f a6 38 b0 fb af 58 fb ed 7b b6 48 f4 4c 19 cb 6b 1d 9f af d1 72 94 b2 ca 46 29 af 3d 15 bc c1 f6 d7 38 ee 98 d2 17 5f 77 87 25 22 6d 09 ce 5a ae 64 3e 23 f3 78 06 c6 6e e3 7a c6 04 86 e6 09 79 f8 01 af d1 84 1d 9f 5d 98 64 59 55 7c 8a 37 f5 46 99 17 16 24 cd 76 53 db db f3 90 d2 b3 5b 90 b8 24 4f 8f 81 a5 2c 07 89 62 8d 99 27 54 b8 f8 26 a5 b0 b1 b1 91 73 8c 69 d4 21 ac 45 31 b1 23 b8 06 fa 7d 22 06 5c c0 18 02 0c c0 34 fb 98 6f 58 1f 5c db 38 ad b6 60 55 9e 69 e7 42 41 6e 82 35 66 b7 94 6c 9d 71 48 4e ae 5d f9 8f e7 36 ce 9a e8 03 4c a6 0b f2 19 53 b7 fb 76 87 ea ad 39 db 14 8b 72 31 77 2f 3b 74 50 7a 5d 1c fa 77 de 01 c3 6b e8 62 b7 e1 23 a1 77 a8 3c 33 66 f2 38 9a a3 e7 dd 74 6e 28 b5 65 63 7a 02 3b d5 0a c7 04 d7 8f b3 c4 4f a4 51 fa a0 ec 95 c3 c4 2a b2 b6</signature>
 <notBefore>1490284036000</notBefore>
 <notAfter>1553356636000</notAfter>
 <issuer>CN=CASRV01-CA,DC=alex,DC=local</issuer>
 <subject>CN=nsxmgr.alex.local,OU=Cloud,O=Alex.Co,L=Bangalore,ST=Karnataka,C=IN</subject>
 <publicKeyAlgo>RSA</publicKeyAlgo>
 <publicKeyLength>2048</publicKeyLength>
 <rsaPublicKeyModulus>00 c4 95 71 ea b6 e5 d0 f5 9a 98 e9 e4 48 d8 dd 48 96 62 db 62 12 ac 62 b7 30 9e c7 ad ff ba 79 4b 86 94 af 83 51 be d7 05 8a 7f 67 71 1b 9a 4a 9b c0 df 57 c5 b9 a8 3a 11 a8 ca a7 5b b9 7a 65 22 a1 58 99 4e a3 9c c5 57 50 c5 77 c3 5a 57 66 b6 01 ae e9 9f 67 c4 4b 6a 68 08 6c 60 86 0c 9a a5 39 0a 35 d4 29 c0 6a 1c ba 69 21 e3 61 b7 6a 95 55 54 19 4d 3a c2 bd 32 59 d1 94 36 86 36 2a ca dc c3 03 e3 86 87 bd 5c d3 54 54 c3 5e 2d be 21 b6 77 9a 48 15 80 2d b6 16 b5 d7 ea d1 cc 05 5d 04 37 7e 05 26 8b a4 ca c5 79 1e 50 0b bd cb ba d6 15 a6 6e d9 82 83 7d 12 a1 f3 94 f0 82 a0 88 08 c2 9e a6 9d d3 83 07 5a 4e cb 66 33 2b 76 44 69 ec d8 f4 80 da e2 59 16 8f 6c cd 00 21 f0 b7 73 04 28 d3 e9 ce 93 30 9e bb 47 b7 f9 7d 7a 80 80 f6 ad cd 88 ab 5d cf 31 45 e9 ca 8f 0d 56 c9</rsaPublicKeyModulus>
 <rsaPublicKeyExponent>10001</rsaPublicKeyExponent>
 <sha1Hash>3a:22:5a:78:51:43:52:04:3f:0f:0b:25:1e:02:15:cc:57:95:76:be</sha1Hash>
 <md5Hash>3f:e6:f6:e4:28:e4:07:30:25:b3:b1:b8:22:d7:95:7a</md5Hash>
 <isCa>false</isCa>
 <isValid>true</isValid>
 </x509certificate>
 <x509certificate>
 <subjectCn>CASRV01-CA</subjectCn>
 <issuerCn>CASRV01-CA</issuerCn>
 <version>3</version>
 <serialNumber>379322e692faa1af4dd54387d6400ff1</serialNumber>
 <signatureAlgo>SHA256WITHRSA</signatureAlgo>
 <signature>cd 69 52 d5 af f0 a6 a8 c2 c9 c0 02 28 bc 35 c4 50 f0 c2 e5 9b c8 eb 5d de d9 72 8e 24 6c 15 70 c9 98 fd 0d bc d4 8b 87 5f 3a c8 db 68 07 1e 79 a4 ea 22 4b 25 48 55 8d 58 a6 0d a4 bb 05 58 39 63 cc 30 86 56 f1 08 fc 01 a1 3a a4 6d 68 79 4c e5 3e 91 85 cd 6b 13 ad 9d 5f 08 eb 03 4f d6 f0 df 1c ca 6a 2f 46 ed f9 3e b6 31 c9 9f f8 30 37 b4 f1 b6 de ab a1 0f 7c d0 ca b1 b3 76 08 38 00 72 9f 4b 5b 23 15 99 5b 51 28 cf 52 92 89 e1 23 c1 29 a3 7e 20 d7 0d 6a e5 ff 1b ca 31 86 68 7d dd 73 2a 4a b6 5d 00 76 b7 24 51 2e 18 6d 8d cc 2a e7 a3 25 a6 6c 9c 50 97 fb e1 35 d6 f5 bc e4 fb 21 a6 25 8e e6 71 5d 29 7d 8e bb 00 ef 3b cf fe 84 79 87 44 a9 3b 54 05 0c 7c db 1a 8c b6 cf 28 81 3a 15 96 a6 ff e6 e8 ca a5 58 95 98 ec 3c 26 69 3f 15 f3 62 d9 26 a8 c3 b4 83 0d 3a 22 3b 6a 14 93 a1 67 e9 79 ae cb 0f 9f bd c2 36 c4 a7 1e 4e 20 b3 ed 88 40 a9 98 df 96 9b f7 e2 26 02 62 94 8a bb d3 6f e1 2e 4e e8 b5 11 84 97 85 d0 ef a2 37 be 9c 74 1e 01 5b 77 6e f0 9e 0e 4f 6c 20 a4 ed 94 3c 50 a3 e6 69 93 9d 83 dc b0 ab 05 42 9e 7c 03 c0 3a bd b3 cf ec 4d f4 0a 63 49 1f db 58 9d 74 a1 89 51 42 fb 15 c6 8f 01 a3 6e 48 ac 6d ec 85 01 ae cd 65 26 70 44 ae c1 6e 18 fb 79 de 97 a5 48 65 d3 d4 7b 7b 2f 85 ca 14 23 11 b9 1a 12 90 ca 10 a7 d6 a8 be c4 20 c2 42 4a 48 fb 29 12 52 bd 84 26 df e2 71 28 c9 94 c9 50 ed cf 40 df b1 4c 55 44 1e 05 9e fd 44 da 2c aa 09 c1 49 af 6d 75 92 db 54 c4 0c 9a 04 ca 90 95 7f 41 2e ba 40 23 cd 4a 79 fd e3 85 0c ec ac 73 26 b2 28 04 f7 fd 5c 79 da 26 d6 05 90 51 96 df f7 0a 38 57 69 ca aa 79 9b 82 d8 1b 33 0f 67 b0 5c</signature>
 <notBefore>1465810241000</notBefore>
 <notAfter>1623577238000</notAfter>
 <issuer>CN=CASRV01-CA,DC=alex,DC=local</issuer>
 <subject>CN=CASRV01-CA,DC=alex,DC=local</subject>
 <publicKeyAlgo>RSA</publicKeyAlgo>
 <publicKeyLength>4096</publicKeyLength>
 <rsaPublicKeyModulus>00 cd a0 76 66 07 c7 1c 93 5f 63 a6 ea 16 bd fa 20 bd e0 69 5d 97 3e ce e3 f7 ef a9 00 45 f6 58 21 4b 99 3b 0c 8e 4f f9 b8 3b f1 39 c1 d8 28 fc 6b 3b b8 e4 fe 7f 9e 96 5e 5c 99 16 a5 0c c1 3b 08 f3 a6 86 40 fb 95 6c cc a2 47 32 b9 52 c7 10 af e0 03 8d a9 98 d8 0d 08 c9 42 e0 a9 51 8f 50 de 50 17 ac 66 fe 39 79 53 ae e8 4d 93 22 dc 75 e5 bd 0d 92 e3 09 31 ff 5c 71 df 03 83 94 c5 1d 75 de 72 f9 4e d8 24 30 2c b1 64 aa 4f e1 52 b7 38 95 14 04 08 ea a3 32 67 88 a8 44 4a 59 a0 40 5e 6e e8 66 4d 43 a9 b4 c4 8e 5f 89 53 4b 3c c7 84 15 aa 0b 7d a2 b0 09 a5 4b a7 6a be a8 bd bb d5 55 68 7a 1d ab d3 3a 46 83 75 41 1d 93 f7 7e ed 98 57 91 63 8e 3f ca 46 f8 e1 91 2a dd 36 bf 1f 60 93 5a bc fd 0f e9 76 2b 4c c1 13 d6 22 6f 24 06 4e 15 cf 5e 52 79 f4 1e 48 e6 29 b4 ff 85 5a 80 57 33 93 49 9c 6c 08 57 48 e8 45 4c 1f ca 97 9d 4c 92 3d 10 b7 f0 bc 99 c6 f8 73 af 3f 95 d3 63 2d c2 bb 02 8e 0f f7 5a 67 bc be c4 02 98 0e 01 c6 05 4d 63 e9 b6 5b 7f 36 f6 40 eb 59 81 00 bc 6b d5 c4 4f a0 05 56 e6 98 e2 32 0f 17 ce cc c4 ce ec d9 9c b3 51 56 30 60 3e 4e 4f 1d fd 9c e0 14 c9 cf cb 74 cc da d6 b9 cc c1 07 22 9a 8f e5 4e f1 82 a0 9e da 2b ea d3 c1 ce 3e 6e 33 c6 de e5 a7 05 eb b1 bc 14 ef a6 78 d6 49 1d e7 6f 98 ab 30 40 82 39 23 85 bd fe a4 c0 b5 15 7f 08 3a 8f 5c be 90 e0 18 a4 54 e3 d4 25 06 a3 ab ad 17 e3 46 98 4f 34 fc 8f 38 51 79 8f 3b 85 ed 4a 7b d1 26 9a 5c 9a 8e 18 47 d8 15 2a 57 20 e2 f9 0e f5 3c f0 85 25 ec 86 91 b6 3a 95 f3 df 5d ad e0 c1 d6 ef 4e 83 d8 ac f1 9b 72 71 3a 87 65 6e af 17 b3 b1 a8 59 7c 55 81 df 71 c9 a2 d6 7f 7b</rsaPublicKeyModulus>
 <rsaPublicKeyExponent>10001</rsaPublicKeyExponent>
 <sha1Hash>84:7b:5c:2d:65:0a:c8:3e:76:ad:96:23:42:9b:e3:d7:4c:83:6b:cb</sha1Hash>
 <md5Hash>7e:63:cb:3e:a0:4f:93:a9:8f:ef:d4:1e:18:84:ca:48</md5Hash>
 <isCa>true</isCa>
 <isValid>true</isValid>
 </x509certificate>
</x509Certificates>

 

Sources and Additional Reading

NSX Rest API Guide

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)

 

 

Add a Comment