NSX-T Data Center REST API
Associated URIs:
| API Description | API Path |
|---|---|
Get the certificate profile for the given service typeGet an available certificate profile. Note that not every service type has an active certificate profile. |
GET /api/v1/trust-management/certificate-profile/{service-type}
|
Return the list of certificate profiles.List the certificate profiles currently active on the NSX Manager. This list depends on the type of instance deployed and which certificates are currently managed through the certificate-profile manager. That list is expected to expand in future releases. |
GET /api/v1/trust-management/certificate-profiles
|
Return All the User-Facing Components' CertificatesReturns all certificate information viewable by the user, including each certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/certificates
|
Add a New CertificateAdds a new private-public certificate or a chain of certificates (CAs) and, optionally, a private key that can be applied to one of the user-facing components (appliance management or edge). The certificate and the key should be stored in PEM format. If no private key is provided, the certificate is used as a client certificate in the trust store. A private key can be uploaded for a CA certificate only if the "purpose" parameter is set to "signing-ca". |
POST /api/v1/trust-management/certificates?action=import
|
Set a certificate as a GM or LM Principal Identity certificateSet a certificate that has been imported to be either the principal identity certificate for the local cluster with either GM or LM service type. Currently, the service type specified must match the current service type of the local cluster. |
POST /api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
(Deprecated)
|
Fetch the server certificate chain of a TLS service endpointAttempt to connect to an TLS service endpoint and retrieve the server certificate chain it presents. |
POST /api/v1/trust-management/certificates?action=fetch_peer_certificate_chain
|
Set a certificate as the Appliance Proxy certificate to be used in inter-site communicationSet a certificate that has been imported to be the Appliance Proxy certificate used for communicating with Appliance Proxies on other sites. |
POST /api/v1/trust-management/certificates?action=set_appliance_proxy_certificate_for_inter_site_communication
(Deprecated)
|
Add a CA certificate as a trust anchor |
POST /api/v1/trust-management/certificates/{alias}?action=import_trusted_ca
|
Delete Certificate for the Given Certificate IDRemoves the specified certificate. The private key associated with the certificate is also deleted. |
DELETE /api/v1/trust-management/certificates/{cert-id}
|
Validate a certificateChecks whether certificate is valid. When the certificate contains a chain, the full chain is validated. The usage parameter can be SERVER (default) or CLIENT. This indicates whether the certificate needs to be validated as a server-auth or a client-auth certificate. |
GET /api/v1/trust-management/certificates/{cert-id}?action=validate
|
Show Certificate Data for the Given Certificate IDReturns information for the specified certificate ID, including the certificate's UUID; resource_type (for example, certificate_self_signed, certificate_ca, or certificate_signed); pem_encoded data; and history of the certificate (who created or modified it and when). For additional information, include the ?details=true modifier at the end of the request URI. |
GET /api/v1/trust-management/certificates/{cert-id}
|
Apply a certificate for a CertificateProfileLook up the Certificate Profile matching the service-type and apply the certificate. When the Certificate Profile has cluster_certificate=false, the node_id parameter is required to designate the node where the certificate needs to be applied. Note that when applying CA-signed certificates to either the API certificate profile or the MGMT_CLUSTER certificate profile, the cerficate must have its CN or SAN extensions matching the endpoint's IP or FQDN. This also means that applying a CA-signed certificate to the MGMT_CLUSTER service profile to a cluster without first configuring its VIP is not allowed. |
POST /api/v1/trust-management/certificates/{cert-id}?action=apply_certificate
|
Batch replace certificatesReplaces one or more certificates. Certificate could be replaced using this API only if it has a private key and a certificate profile, recorded in the used-by section of the certificate, exists. Invoking this API will error if certificate replacement operation is running due to previously invoked API. The results of these batch operations can be queried by calling the API GET /trust-management/certificates/action/batch-results |
POST /api/v1/trust-management/certificates/action/batch-replace
|
Renew all internal appliance certificates that will expire soonLocates all certificates that are used for internal NSX appliance communications that will expire soon (by default, 31 days). If any such certificates exist, a batch operation will be started that creates new certificates and private keys and installs them. After calling this API, you can check on the status of this asynchronous batch operation with the API GET https://<nsx-mgr>/api/v1/trust-management/certificates/batch-results |
POST /api/v1/trust-management/certificates/action/renew-appliance-certificates
|
Replace a Host CertificateSends a new private-public certificate or a chain of certificates (CAs) and a private key to be used on a Transport Node. |
POST /api/v1/trust-management/certificates/action/replace-host-certificate/{host-id}
|
Delete result of certificates batch operationDelete batch-results of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API. Invoking this API while a certificates batch operation is pending, will result in error. With force=true parameter, the result of certificates batch operation will be deleted and the certificate operations will be forced stopped. |
DELETE /api/v1/trust-management/certificates/batch-results
|
Get result of certificates batch operationGet batch-result of certificate operations created by calling the POST /api/v1/trust-management/certificates/action/batch-replace API. |
GET /api/v1/trust-management/certificates/batch-results
|
Get stale certificatesGet list of certificates that are currently not applied to any certificate profile and ones that are applied to deprecated certificate profiles. |
GET /api/v1/trust-management/stale-certificates
|