In this blog we will go over replacing the Corfu certificate in NSX. In this example I will be using the UI to generate the self signed certificate and then an API call to replace the certificate. I covered the same procedure for the MP Corfu certificate and the CCP Corfu certificate in separate posts.

The Expired CSM Corfu Certificate

In my case the CSM Corfu certificate has already expired

Expired certificate alert shown for CSM Corfu client certificate.

Generating a New Self-Signed Certificate

In the top menu bar I went to Generate -> Generate Self Signed Certificate

Fields for creating a self-signed certificate, including Common Name, Name, Organization Unit, etc.

Next I had to grab the new certificate ID

Table with columns for Name, Type, and Issued To, displaying a self-signed certificate for a node.

Applying the Certificate via the NSX API

The next step is to replace the old certificate with the new certificate via an API call. For this I used Postman but any other tool could potentially be used.

The URL for the post call would go against https://nsx-vip-01a.corp.local/api/v1/trust-management/certificates/cert_id?action=apply_certificate&service_type=CBM_CSM&node_id=node_id

The node ID can be found under Appliances -> View details on node, the value to the right for UUID ex

Appliance details: Version 4.1.0.2.0.21761695, Deployment Type Manual, Transport Nodes 4, UUID and Cert Thumbprint fields.

For authentication I used basic, per best practices we should be using a token.

For headers had to add Content-Type application\json ex

“Headers” tab with “Content-Type: application/json” selected.

In the body I picked raw and added the following in

{ "cert_id": "65f3c890-485c-4c54-b80a-51cef8db7124",
"service_type": "CBM_CSM" }

The cert ID is from the certificate I generated earlier. ex

JSON body with “cert_id” and “service_type” fields for a certificate replacement in NSX.

Once I clicked send I was presented back with a 200 OK

API response with 200 OK status, 527 B, and 2.44 s delay.

Verifying the New Certificate

Going in the web browser I can also see that the new certificate is now used and the old one doesn’t have anything assigned to it ex

Certificate management page shows expired and valid certificates, with options to import or generate.

Deleting the Old Certificate

The final step I did was removing the old certificate by clicking on the 3 dots to left and picking delete from the menu. If the delete fails because the certificate is still in use by a node, see this fix.

Expired certificate warning, options to delete, export, or copy ID.