How to set CA Signed Certificate in NSX-t using Powershell

When you are trying to set a CA signed certificate as certificate the official documentation points out that you have to apply the certificate via REST API. All the rest is done easily via GUI but the most important step is missing from the UI. I hope this will be implemented via UI as well.

Assign a Virtual IP Address and Certificate to the NSX-T Manager Cluster (vmware.com)

From the documentation they suggest using Postman but i wanted to do it via PowerShell and here is how to do it:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

#Create Basic Authentication Header 
$user = "admin"
$pass = 'password'
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
    Authorization = $basicAuthValue
}


#Call this rest method to apply certificate, run this for all IP´s of multiple nodes individually 
Invoke-RestMethod -ContentType 'application/xml' -Header $Headers -Method Post -URI "https://10.0.0.1/api/v1/node/services/http?action=apply_certificate&certificate_id=<PlaceYourCertIDHere>" 

#Call this rest method to apply the cluster certificate for the virtual IP
Invoke-RestMethod -ContentType 'application/xml' -Header $Headers -Method Post -URI "https://10.0.0.1/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=<PlaceYourCertIDHere>"

You have to reboot the nodes one-by-one to apply the node certificates but the cluster cert should be applied immediately. You might need to run this first to allow selfsigned certificates.

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Hope I was able to help you. Cheers

Leave a Reply