• The certificate is successfully imported but fails while running below API for validation and replacement of the certificate
  
  GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>?action=validate
POST /api/v1/node/services/http?action=apply_certificate
  
  Note: The full certificate chain must be supplied as per industry standard order leaf + intermediate CA cert/s + root CA cert
  
  
• The following error is seen while validating or replacing the Certificate for an NSX Manager Node or an NSX Manager Cluster Virtual IP

• NSX certificate signed by CA does not have a 'Basic constraint' field in the details section.

VMware NSX-T Data Center 3.x

VMware NSX

By design, NSX-T 3.0 has added a validation check for the certificate to have 'Basic constraint' field in order it to catch up to industry standards around “Trust Assurance” when CA certificates are in use and also, for compliance reasons. 

Basic constraint field indicates if the certificate at hand is a CA certificate or an end entity certificate.
This field must be present in the CA signed NSX certificate and is checked during the validation process to make sure the certificate is not a CA certificate.
Certificate should show 'Basic constraint' field as below with Subject Type=End entity


The CSR generated using NSX manager includes 'Basic constraint' extension in it. So, in case the field is missing, getting validation error is expected. We need to make sure that when CSR is signed by the CA the field is not getting tempered in that process.

How to replace certificate for NSX manager node

How to import the certificate for CSR downloaded from NSX