NSX-T Data Center REST API

Associated URIs:

API Description	API Path
Return the Properties of a Trust Manager Returns information about the supported algorithms and key sizes.	GET /api/v1/trust-management
Get the certificate profile for the given service type Get an available certificate profile. Note that not every service type has an active certificate profile.	GET /api/v1/trust-management/certificate-profile/{service-type}
Return the list of certificate profiles. List the certificate profiles currently active on the NSX Manager. This list depends on the type of instance deployed and which certificates are currently managed through the certificate-profile manager. That list is expected to expand in future releases.	GET /api/v1/trust-management/certificate-profiles
Return All the User-Facing Components' Certificates Returns all certificate information viewable by the user, including each certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/certificates
Add a New Certificate Adds a new private-public certificate or a chain of certificates (CAs) and, optionally, a private key that can be applied to one of the user-facing components (appliance management or edge). The certificate and the key should be stored in PEM format. If no private key is provided, the certificate is used as a client certificate in the trust store. A private key can be uploaded for a CA certificate only if the "purpose" parameter is set to "signing-ca".	POST /api/v1/trust-management/certificates?action=import
Set a certificate as a GM or LM Principal Identity certificate Set a certificate that has been imported to be either the principal identity certificate for the local cluster with either GM or LM service type. Currently, the service type specified must match the current service type of the local cluster.	POST /api/v1/trust-management/certificates?action=set_pi_certificate_for_federation (Deprecated)
Fetch the server certificate chain of a TLS service endpoint Attempt to connect to an TLS service endpoint and retrieve the server certificate chain it presents.	POST /api/v1/trust-management/certificates?action=fetch_peer_certificate_chain
Set a certificate as the Appliance Proxy certificate to be used in inter-site communication Set a certificate that has been imported to be the Appliance Proxy certificate used for communicating with Appliance Proxies on other sites.	POST /api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication (Deprecated)
Add a CA certificate as a trust anchor	POST /api/v1/trust-management/certificates/{alias}?action=import_trusted_ca
Delete Certificate for the Given Certificate ID Removes the specified certificate. The private key associated with the certificate is also deleted.	DELETE /api/v1/trust-management/certificates/{cert-id}
Validate a certificate Checks whether certificate is valid. When the certificate contains a chain, the full chain is validated. The usage parameter can be SERVER (default) or CLIENT. This indicates whether the certificate needs to be validated as a server-auth or a client-auth certificate.	GET /api/v1/trust-management/certificates/{cert-id}?action=validate
Show Certificate Data for the Given Certificate ID Returns information for the specified certificate ID, including the certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/certificates/{cert-id}
Apply a certificate for a CertificateProfile Look up the Certificate Profile matching the service-type and apply the certificate. When the Certificate Profile has cluster_certificate=false, the node_id parameter is required to designate the node where the certificate needs to be applied. Note that when applying CA-signed certificates to either the API certificate profile or the MGMT_CLUSTER certificate profile, the cerficate must have its CN or SAN extensions matching the endpoint's IP or FQDN. This also means that applying a CA-signed certificate to the MGMT_CLUSTER service profile to a cluster without first configuring its VIP is not allowed.	POST /api/v1/trust-management/certificates/{cert-id}?action=apply_certificate
Batch replace certificates Replaces one or more certificates. Certificate could be replaced using this API only if it has a private key and a certificate profile, recorded in the used-by section of the certificate, exists. Invoking this API will error if certificate replacement operation is running due to previously invoked API. The results of these batch operations can be queried by calling the API GET /trust-management/certificates/action/batch-results	POST /api/v1/trust-management/certificates/action/batch-replace
Renew all internal appliance certificates that will expire soon Locates all certificates that are used for internal NSX appliance communications that will expire soon (by default, 31 days). If any such certificates exist, a batch operation will be started that creates new certificates and private keys and installs them. After calling this API, you can check on the status of this asynchronous batch operation with the API GET https://<nsx-mgr>/api/v1/trust-management/certificates/batch-results	POST /api/v1/trust-management/certificates/action/renew-appliance-certificates
Replace a Host Certificate Sends a new private-public certificate or a chain of certificates (CAs) and a private key to be used on a Transport Node.	POST /api/v1/trust-management/certificates/action/replace-host-certificate/{host-id}
Delete result of certificates batch operation Delete batch-results of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API. Invoking this API while a certificates batch operation is pending, will result in error. With force=true parameter, the result of certificates batch operation will be deleted and the certificate operations will be forced stopped.	DELETE /api/v1/trust-management/certificates/batch-results
Get result of certificates batch operation Get batch-result of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API.	GET /api/v1/trust-management/certificates/batch-results
Return the list of CrlDistributionPoints	GET /api/v1/trust-management/crl-distribution-points
Create a Crl Distribution Point Create an entity that will represent a Crl Distribution Point	POST /api/v1/trust-management/crl-distribution-points
Delete a CrlDistributionPoint Delete a CrlDistributionPoint. It does not delete the actual CRL.	DELETE /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
Return the CrlDistributionPoint with <crl-distribution-point-id>	GET /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields.	PUT /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}
Return the status of the CrlDistributionPoint	GET /api/v1/trust-management/crl-distribution-points/{crl-distribution-point-id}/status
Return stored CRL in PEM format	POST /api/v1/trust-management/crl-distribution-points/pem-file
Return All Added CRLs Returns information about all CRLs. For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/crls
Add a New Certificate Revocation List Adds a new certificate revocation list (CRL). The CRL is used to verify the client certificate status against the revocation lists published by the CA. For this reason, the administrator needs to add the CRL in certificate repository as well. A CRL can be in the PEM X.509 format (crl_type=X509) or JSON OneCRL (crl_type=OneCRL). If crl_type is not specified, it is auto-detected based on the presence of fields pem_encoded or one_crl.	POST /api/v1/trust-management/crls?action=import
Delete a CRL Deletes an existing CRL.	DELETE /api/v1/trust-management/crls/{crl-id}
Show CRL Data for the Given CRL ID Returns information about the specified CRL. For additional information, include the ?details=true modifier at the end of the request URI.	GET /api/v1/trust-management/crls/{crl-id}
Update CRL for the Given CRL ID Updates an existing CRL.	PUT /api/v1/trust-management/crls/{crl-id}
Return All the Generated CSRs Returns information about all of the CSRs that have been created.	GET /api/v1/trust-management/csrs
Generate a New Certificate Signing Request Creates a new certificate signing request (CSR) with selected extensions. A CSR is encrypted text that contains information about your organization (organization name, country, and so on), additional attributes as extensions, and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR.	POST /api/v1/trust-management/csrs
Generate a New Self-Signed Certificate Creates a new self-signed certificate. A private key is also created at the same time. This is convenience call that will generate a CSR and then self-sign it. The maximum validity limit for non-CA certificates is 825 days, except that values of 3,650 and 36,500 days are allowed. No limit is set for CA certificates.	POST /api/v1/trust-management/csrs?action=self_sign
Generate a New Certificate Signing Request with Extensions Creates a new certificate signing request (CSR) with selected extensions. A CSR is encrypted text that contains information about your organization (organization name, country, and so on), additional attributes as extensions, and your Web server's public key, which is a public certificate the is generated on the server that can be used to forward this request to a certificate authority (CA). A private key is also usually created at the same time as the CSR.	POST /api/v1/trust-management/csrs-extended (Deprecated)
Delete a CSR Removes a specified CSR. If a CSR is not used for verification, you can delete it.	DELETE /api/v1/trust-management/csrs/{csr-id}
Show CSR Data for the Given CSR ID Returns information about the specified CSR.	GET /api/v1/trust-management/csrs/{csr-id}
Upload the Certificate PEM File Signed by the CA Associated with a CSR Uploads the certificate authority (CA)-signed certificate. After you send the certificate request to the CA of your choice, and the CA sends back the signed certificate, you can use the upload POST action to upload the signed certificate. The upload action is similar to the import action, but the upload action allows you to directly upload the PEM-encoded file (signed certificate) provided by the CA. After this operation you can delete the CSR.	POST /api/v1/trust-management/csrs/{csr-id}?action=upload
Import a Certificate Associated with an Approved CSR Imports a certificate authority (CA)-signed certificate for a CSR. This action links the certificate to the private key created by the CSR. The pem_encoded string in the request body is the signed certificate provided by your CA in response to the CSR that you provide to them. After this operation you can delete the CSR.	POST /api/v1/trust-management/csrs/{csr-id}?action=import
Self-Sign the CSR Self-signs the previously generated CSR. This action is similar to the import certificate action, but instead of using a public certificate signed by a CA, the self_sign POST action uses a certificate that is signed with NSX's own private key. The maximum validity limit for non-CA certificates is 825 days, except that values of 3,650 and 36,500 days are also allowed. No limit is set for CA certificates.	POST /api/v1/trust-management/csrs/{csr-id}?action=self_sign
Get CSR PEM File for the Given CSR ID Downloads the CSR PEM file for a specified CSR. Clients must include an Accept: text/plain request header.	GET /api/v1/trust-management/csrs/{csr-id}/pem-file
Get stale certificates Get list of certificates that are currently not applied to any certificate profile and ones that are applied to deprecated certificate profiles.	GET /api/v1/trust-management/stale-certificates

Additional Links

CRL

CSR

Certificate

NSX-T Data Center REST API

Associated URIs:

Return the Properties of a Trust Manager

Get the certificate profile for the given service type

Return the list of certificate profiles.

Return All the User-Facing Components' Certificates

Add a New Certificate

Set a certificate as a GM or LM Principal Identity certificate

Fetch the server certificate chain of a TLS service endpoint

Set a certificate as the Appliance Proxy certificate to be used in inter-site communication

Add a CA certificate as a trust anchor

Delete Certificate for the Given Certificate ID

Validate a certificate

Show Certificate Data for the Given Certificate ID

Apply a certificate for a CertificateProfile

Batch replace certificates

Renew all internal appliance certificates that will expire soon

Replace a Host Certificate

Delete result of certificates batch operation

Get result of certificates batch operation

Return the list of CrlDistributionPoints

Create a Crl Distribution Point

Delete a CrlDistributionPoint

Return the CrlDistributionPoint with <crl-distribution-point-id>

Update CrlDistributionPoint with <crl-distribution-point-id> This allows updating the ManagedResource fields.

Return the status of the CrlDistributionPoint

Return stored CRL in PEM format

Return All Added CRLs

Add a New Certificate Revocation List

Delete a CRL

Show CRL Data for the Given CRL ID

Update CRL for the Given CRL ID

Return All the Generated CSRs

Generate a New Certificate Signing Request

Generate a New Self-Signed Certificate

Generate a New Certificate Signing Request with Extensions

Delete a CSR

Show CSR Data for the Given CSR ID

Upload the Certificate PEM File Signed by the CA Associated with a CSR

Import a Certificate Associated with an Approved CSR

Self-Sign the CSR

Get CSR PEM File for the Given CSR ID

Get stale certificates