Certificate with NCP

Below shows how to use certificates with NCP.

Generate the certificate

Create the certificate below on a linux device below using OpenSSL.

openssl genrsa -aes256 -out nsx-ncp.key 2048
openssl req -new -key nsx-ncp.key -out nsx-ncp.csr
mv nsx-ncp.key nsx-ncp.key.org
openssl rsa -in nsx-ncp.key.org -out nsx-ncp.key
openssl x509 -req -days 3650 -in nsx-ncp.csr -signkey nsx-ncp.key -out nsx-ncp.crt

Upload the certificate

Get the contents of the .key and .crt.

2018 11 11 21 59 56

Grab the certificate ID of the uploaded certificate.

2018 11 11 21 56 56

##Use certificate for principal identity

Populate the following environment variables. The first is your NSX manager and the second is the certificate ID you just uploaded.


Create the JSON required for a REST call body.

ncp_cert=$(cat <<END
    "name": "ncp",
    "node_id": "node-1",
    "permission_group": "read_write_api_users",
    "certificate_id" : "$certificate_id"

With the body created the certficate needs to be used when generating a principal identity


curl -k -X POST   "https://${NSX_MANAGER}/api/v1/trust-management/principal-identities"   -u "admin:VMware1!"  -H 'content-type: application/json'   -d "$ncp_cert"

Kubernetes secrets

You will need to create the secrets for the certificates so they’re loaded correctly.

kubectl create secret generic nsx-auth-cert --from-file=nsx-ncp.crt
kubectl create secret generic nsx-auth-key --from-file=nsx-ncp.key

This are loaded by the ncp-rc.ini

NCP configuration

Within the NCP the configuration that is required needs to be added. These are the values for nsx_api_cert_file and nsx_api_private_key_file.

    nsx_api_managers = nsxmgr-01a.corp.local
    #nsx_api_user = admin
    #nsx_api_password = VMware1!
    nsx_api_cert_file = /etc/nsx-ncp-auth/nsx-ncp.crt
    nsx_api_private_key_file = /etc/nsx-ncp-key/nsx-ncp.key
    insecure = True

Note that the old user and password are now commented out and we are reference the certificate.

Further down we need to define the mounts and the secrets that we want to load which are our certicate and key.

          - name: config-volume
            mountPath: /etc/nsx-ujo/ncp.ini
            subPath: ncp.ini
            readOnly: true
          - name: nsx-auth-cert
            mountPath: /etc/nsx-ujo-auth
            readOnly: true
          - name: nsx-auth-key
            mountPath: /etc/nsx-ujo-key
            readOnly: true
        - name: config-volume
            name: nsx-ncp-config
        - name: nsx-auth-cert
            secretName: nsx-auth-cert
        - name: nsx-auth-key
            secretName: nsx-auth-key

Now apply the file. This will update the replicationcontroller and then regenerate the pods.

2018 11 11 23 21 05

Create a new namespace and it will create a T1 router and a logical switch. Note the icon next to the tier1 router k8s-cluster1-test. Success!

2018 11 11 23 21 44


NCP can be protected by certificates to ensure that the user and password to NSX Manager are secured. This is definitely a recommended method of any deployment when using NSX-T as an network container plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *