Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate a CSR w/ SAN entries using NSX-T API's for your manager appliances, self-sign, and apply them.
# These values are unique to your environment.
# DO NOT USE this code if your NSX-T instance is managed by a service provider.
# You risk breaking your SLA/contracts/blahblahblah and yourself.
NSXMgr=IPorDNSNameofyourNSXManager
domainsuffix=zsoldier.com
org=zsoldiernet
orgunit=blog
country=US
state=GA
locality=ATL
# Dynamically generated values based on entries above. Adjust values to your needs.
# These values must be DNS resolvable.
NSXVIP=nsx.$domainsuffix
NSXApp01=nsx01.$domainsuffix
NSXApp02=nsx02.$domainsuffix
NSXApp03=nsx03.$domainsuffix
# This will prompt you for the NSX admin password and capture it for the rest of the code to run properly w/o exposing it in clear text on screen.
echo -n "Enter NSX Admin Password:"
read -s secret
# Generate CSR’s
result=$(curl --request POST -k -u admin:$secret --url https://$NSXMgr/api/v1/trust-management/csrs-extended --header 'Content-Type: application/json' --data '{
"subject": {
"attributes": [
{
"key": "CN",
"value": "'"$NSXVIP"'"
},
{
"key": "O",
"value": "'"$companyname"'"
},
{
"key": "OU",
"value": "'"$orgunit"'"
},
{
"key": "C",
"value": "'"$country"'"
},
{
"key": "ST",
"value": "'"$state"'"
},
{
"key": "L",
"value": "'"$locality"'"
}
]
},
"key_size": "2048",
"algorithm": "RSA",
"extensions":
{
"subject_alt_names":
{
"dns_names":
[
"'"$NSXApp01"'",
"'"$NSXApp02"'",
"'"$NSXApp03"'"
]
}
}
}')
# Capture CSR ID
csrId=$(echo $result | awk -F ': ' '/"id" /{print substr($2,2, length($2)-3)}')
# Sign CSR
csrsignResult=$(curl --request POST -k -u admin:$secret --url "https://$NSXMgr/api/v1/trust-management/csrs/$csrId?action=self_sign&days_valid=825")
# Capture CertId
certId=$(echo $csrsignResult | grep "id" | awk -F ': ' '/"id" /{print substr($2,2, length($2)-3)}')
# Apply newly self-signed certificate to cluster VIP
curl --request POST -k -u admin:$secret --url "https://$NSXMgr/api/v1/cluster/api-certificate?certificate_id=$certId&=&action=set_cluster_certificate"
# Apply self-signed certificate to Manager VMs
curl --request POST -k -u admin:$secret --url "https://$NSXApp01/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId"
curl --request POST -k -u admin:$secret --url "https://$NSXApp02/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId"
curl --request POST -k -u admin:$secret --url "https://$NSXApp03/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId"
secret=''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment