Last active
April 12, 2023 15:40
-
-
Save Zsoldier/ba4de13127325cc2dffe12d37ef85168 to your computer and use it in GitHub Desktop.
Generate a CSR w/ SAN entries using NSX-T API's for your manager appliances, self-sign, and apply them.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# These values are unique to your environment. | |
# DO NOT USE this code if your NSX-T instance is managed by a service provider. | |
# You risk breaking your SLA/contracts/blahblahblah and yourself. | |
# This script works when running from a MacOS zsh Terminal Session. YMMV w/ Linux Terminals | |
NSXMgr=IPorDNSNameofyourNSXManager | |
domainsuffix=zsoldier.com | |
org=zsoldiernet | |
orgunit=blog | |
country=US | |
state=GA | |
locality=ATL | |
# Dynamically generated values based on entries above. Adjust values to your needs. | |
# These values must be DNS resolvable. | |
NSXVIP=nsx.$domainsuffix | |
NSXApp01=nsx01.$domainsuffix | |
NSXApp02=nsx02.$domainsuffix | |
NSXApp03=nsx03.$domainsuffix | |
# This will prompt you for the NSX admin password and capture it for the rest of the code to run properly w/o exposing it in clear text on screen. | |
echo -n "Enter NSX Admin Password:" | |
read -s secret | |
# Generate CSR’s | |
result=$(curl --request POST -k -u admin:$secret --url https://$NSXMgr/api/v1/trust-management/csrs-extended --header 'Content-Type: application/json' --data '{ | |
"subject": { | |
"attributes": [ | |
{ | |
"key": "CN", | |
"value": "'"$NSXVIP"'" | |
}, | |
{ | |
"key": "O", | |
"value": "'"$companyname"'" | |
}, | |
{ | |
"key": "OU", | |
"value": "'"$orgunit"'" | |
}, | |
{ | |
"key": "C", | |
"value": "'"$country"'" | |
}, | |
{ | |
"key": "ST", | |
"value": "'"$state"'" | |
}, | |
{ | |
"key": "L", | |
"value": "'"$locality"'" | |
} | |
] | |
}, | |
"key_size": "2048", | |
"algorithm": "RSA", | |
"extensions": | |
{ | |
"subject_alt_names": | |
{ | |
"dns_names": | |
[ | |
"'"$NSXApp01"'", | |
"'"$NSXApp02"'", | |
"'"$NSXApp03"'" | |
] | |
} | |
} | |
}') | |
# Capture CSR ID | |
csrId=$(echo $result | grep -o '"id" : "[^"]*' | awk -F ': ' '/"id" /{print substr($2,2, length($2))}') | |
# Sign CSR | |
csrsignResult=$(curl --request POST -k -u admin:$secret --url "https://$NSXMgr/api/v1/trust-management/csrs/$csrId?action=self_sign&days_valid=825") | |
# Capture CertId | |
certId=$(echo $csrsignResult | grep -o '"id" : "[^"]*' | awk -F ': ' '/"id" /{print substr($2,2, length($2))}') | |
#Revision capture example, unneeded for script, but this grep method is required for non zsh MacOS terminal. Works for both MacOS(zsh) and Ubuntu Terminal. | |
revision=$(echo $result | grep -o '"_revision" : [0-9999]*' | awk -F ': ' '/"_revision" /{print int($2)}') | |
# Apply newly self-signed certificate to cluster VIP | |
curl --request POST -k -u admin:$secret --url "https://$NSXMgr/api/v1/cluster/api-certificate?certificate_id=$certId&=&action=set_cluster_certificate" | |
# Apply self-signed certificate to Manager VMs | |
curl --request POST -k -u admin:$secret --url "https://$NSXApp01/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId" | |
curl --request POST -k -u admin:$secret --url "https://$NSXApp02/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId" | |
curl --request POST -k -u admin:$secret --url "https://$NSXApp03/api/v1/node/services/http?action=apply_certificate&certificate_id=$certId" | |
secret='' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment