Generate an ssl certificate for nsx edge

create-nsx-certs.sh

#!/bin/bash -e

NSX_MANAGER=nsxmgr-01.cf.markalston.net
NSX_USER=admin

if [ -z "$NSX_PASSWORD" ]; then
	echo "NSX_PASSWORD must be set"
	return 1
fi

PI_NAME="pks-nsx-t-superuser"
NSX_SUPERUSER_CERT_FILE="pks-nsx-t-superuser.crt"
NSX_SUPERUSER_KEY_FILE="pks-nsx-t-superuser.key"
NODE_ID=$(cat /proc/sys/kernel/random/uuid)

openssl req \
  -newkey rsa:2048 \
  -x509 \
  -nodes \
  -keyout "$NSX_SUPERUSER_KEY_FILE" \
  -new \
  -out "$NSX_SUPERUSER_CERT_FILE" \
  -subj /CN=pks-nsx-t-superuser \
  -extensions client_server_ssl \
  -config <(
  cat /etc/ssl/openssl.cnf \
  <(printf '[client_server_ssl]\nextendedKeyUsage = clientAuth\n')
  ) \
  -sha256 \
  -days 730

# You’ll see two files - pks-nsx-t-superuser.crt and pks-nsx-t-superuser.key created.
# They need to be configured both in NSX-T and the PKS tile. The following commands will configure it in NSX-T.
# We will configure them in the PKS tile at a later step.

cert_request=$(cat <<END
  {
    "display_name": "$PI_NAME",
    "pem_encoded": "$(awk '{printf "%s\\n", $0}' $NSX_SUPERUSER_CERT_FILE)"
  }
END
)

curl -k -X POST \
  "https://${NSX_MANAGER}/api/v1/trust-management/certificates?action=import" \
  -u "$NSX_USER:$NSX_PASSWORD" \
  -H 'content-type: application/json' \
  -d "$cert_request"

# You’ll see an output with an id: value from the curl output. Copy the value and then enter the commands below.

echo "Enter value of the id from the command output above:"
read CERTIFICATE_ID

pi_request=$(cat <<END
  {
    "display_name": "$PI_NAME",
    "name": "$PI_NAME",
    "permission_group": "superusers",
    "certificate_id": "$CERTIFICATE_ID",
    "node_id": "$NODE_ID"
  }
END
)

curl -k -X POST \
  "https://${NSX_MANAGER}/api/v1/trust-management/principal-identities" \
  -u "$NSX_USER:$NSX_PASSWORD" \
  -H 'content-type: application/json' \
  -d "$pi_request"