forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
generate-nsx-ca-cert.html.md.erb
157 lines (113 loc) · 7.17 KB
/
generate-nsx-ca-cert.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
---
title: Generating and Registering the NSX Manager Certificate for PKS
owner: PKS
---
<strong><%= modified_date %></strong>
This topic describes how to generate and register the NSX Manager certificate authority (CA) certificate in preparation for installing Pivotal Container Service (PKS) on vSphere with NSX-T.
##<a id='prerequisites'></a>Prerequisites
Before you begin this procedure, ensure that you have successfully completed all preceding steps for installing PKS on vSphere with NSX-T, including:
<ul>
<li>
<a href="./nsxt-deploy.html">Deploy NSX-T for PKS</a>
</li>
<li>
<a href="./nsxt-prepare-mgmt-plane.html">Create PKS Management Plane</a>
</li>
<li>
<a href="./nsxt-prepare-compute-plane.html">Create PKS Compute Plane</a>
</li>
<li>
<a href="./vsphere-nsxt-om-deploy.html">Deploy Ops Manager with NSX-T for PKS</a>
</li>
</ul>
##<a id='certificates-nsx-mgr'></a> About the NSX Manager CA Certificate
The NSX Manager CA certificate is used to authenticate with the NSX Manager. You create an IP-based, self-signed certificate and register it with the NSX Manager. During PKS installation on vSphere with NSX-T, you provide this certificate in the **NSX Manager CA Cert** field in the **Networking** pane in the PKS tile.
See the **NSX Manager CA Cert** field in the following screenshot:
<img src="images/nsxt/nsx-ca-cert.png" alt="NSX Manager CA certificate configuration" width="575">
For configuration information, see the [Networking](installing-nsx-t.html#networking) section of _Installing PKS on vSphere with NSX-T_.
By default, the NSX Manager includes a self-signed API certificate with its hostname as the subject and issuer. Ops Manager requires strict certificate validation and expects the subject and issuer of the self-signed certificate to be either the IP address or fully qualified domain name (FQDN) of the NSX Manager. As a result, you need to regenerate the self-signed certificate using the FQDN of the NSX Manager in the subject and issuer field and then register the certificate with the NSX Manager using the NSX API.
The **Disable SSL certificate verification** option lets you disable validation of the NSX Manager CA certificate. Select this option for testing purposes only.
<p class="note"><strong>Note</strong>: If you disable SSL certificate verification, leave the CA certificate field blank. If you enter text in this field when SSL certificate verification is disabled, the PKS installation fails. If you populate the CA certificate field and later decide to disable SSL certificate verification, you must remove the certificate.</p>
##<a id='generate-self-signed-certificate'></a> Step 1: Generate a Self-Signed CA Certificate for the NSX Manager
Complete the following steps to generate a self-signed CA certificate for the NSX Manager:
1. Create a file for the certificate request parameters named `nsx-cert.cnf`.
1. Copy the following parameters and paste them into the file, replacing `NSX-MANAGER-IP-ADDRESS` with the IP address of your NSX Manager, and `NSX-MANAGER-COMMONNAME` with the FQDN of the NSX Manager host:
```
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = CA
organizationName = NSX
commonName = NSX-MANAGER-COMMONNAME
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-MANAGER-COMMONNAME,NSX-MANAGER-IP-ADDRESS
```
For example:
<pre class="terminal">
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo-Alto
organizationName = NSX
commonName = nsxmgr-01a.example.com
[ req_ext ]
subjectAltName=DNS:nsxmgr-01a.example.com,IP:192.0.2.40
</pre>
1. Export the `NSX_MANAGER_IP_ADDRESS` and `NSX_MANAGER_COMMONNAME` environment variables using the IP address of your NSX Manager and the FQDN of the NSX Manager host.<br><br>
For example:
<pre class="terminal">
$ export NSX\_MANAGER\_IP\_ADDRESS=192.0.2.40
$ export NSX\_MANAGER\_COMMONNAME=nsxmgr-01a.example.com
</pre>
1. Generate the certificate using openssl. Run the following command:
<pre class="terminal">
$ openssl req -newkey rsa:2048 -x509 -nodes \
-keyout nsx.key -new -out nsx.crt -subj /CN=$NSX\_MANAGER\_COMMONNAME \
-reqexts SAN -extensions SAN -config <(cat ./nsx-cert.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:$NSX\_MANAGER\_COMMONNAME,IP:$NSX\_MANAGER\_IP\_ADDRESS")) -sha256 -days 365
</pre>
1. Verify that the certificate looks correct and that the NSX manager IP is in the Subject Alternative Name (SAN) by running the following command:
<pre class="terminal">
$ openssl x509 -in nsx.crt -text -noout
</pre>
##<a id='import-certificate'></a> Step 2: Import the Certificate to NSX Manager
In this section you import the self-signed CA certificate you generated in the previous step to the NSX Manager.
Complete the following steps to import the certificate to the NSX Manager:
1. Log in to the NSX Manager UI.
1. Navigate to **System > Trust > Certificates**.
1. Click **Import > Import Certificate**.
<img src="images/nsxt/import-cert.png" alt="Import the NSX Manager CA certificate to the NSX Manager" width="475">
<p class="note"><strong>Note</strong>: Make sure you select **Import Certificate** and not **Import CA Certificate**</code>.</p>
1. Give the certificate a unique name, such as `NSX-API-CERT-NEW`.
<p class="note"><strong>Note</strong>: Use a unique name for the new certificate you import. The default NSX Manager CA certificate is typically named <code>NSX-API-CERT</code>.</p>
1. Browse to and select the CA certificate and private key you generated in the previous section of steps.
1. Click **Save**.
<img src="images/nsxt/import-cert-2.png" alt="Import the NSX Manager CA certificate to the NSX Manager" width="475">
##<a id='register-certificate'></a> Step 3: Register the Certificate with NSX Manager
The last step is to exchange the default CA certificate with the new CA certificate you generated. You must use the NSX API.
Complete the following steps to register the certificate with the NSX Manager:
1. Get the ID of the certificate. Run the following command, replacing `ADMIN-PASSWORD` with the administrator password, and `CERTIFICATE-NAME` with the certificate name:
```
curl --insecure -u admin:'ADMIN-PASSWORD' -X \
GET "https://$NSX_MANAGER_IP_ADDRESS/api/v1/trust-management/certificates" \
| jq -r '.results[] | select(.display_name == "CERTIFICATE-NAME") | .id'
```
1. Register the certificate with NSX Manager, replacing `CERTIFICATE-ID` with the certificate ID, and `ADMIN-PASSWORD` with the administrator password:
```
export CERTIFICATE_ID="CERTIFICATE-ID" curl --insecure -u admin:'ADMIN-PASSWORD' -X \
POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/node/services/http?action=apply_certificate&certificate_id=$CERTIFICATE_ID"
```
##<a id='next'></a> Next Step
<a href="./vsphere-nsxt-om-config.html">Configure BOSH Director with NSX-T for PKS</a>.