Another certificate management post as Lets Encrypt have removed their old root certificates. This post shows how to update signed certificates for NSX-T.
NSX-T checks certificate chains when importing certificates, and unless the full chain of trust is available, you will not be able to use the certificate with NSX-T.
This link here shows the chain of trust for Lets Encrypt certificates.
The certificate chain for Lets Encrypt is as follows:
your-certificate -> R3 -> ISRG Root X1
Your certificate is delivered to you after you request a certificate using Lets Encrypt services, the file that contains your certificate is named cert.pem.
The R3 certificate can be downloaded with this link
The ISRG Root X1 certificate can be downloaded with this link
To create a complete chain that NSX-T can accept, combine the contents of the files above into a single file in this order: cert, R3, X1. Like this
-----BEGIN CERTIFICATE----- cert.pem content -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- R3.pem content -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- X1.pem content -----END CERTIFICATE-----
Now you can use this new file to import and use this new certificate in NSX-T. It will look similar to this if successful.
4 thoughts on “Replacing NSX-T Controller SSL Certificates with Lets Encrypt”
Not working now. X3 expired
Details here https://letsencrypt.org/certificates/