This article explains how to replace HCX Manager 443 UI certificate with a Custom Certificate Authority (CA) signed certificate.

1. Log into HCX Manager through SSH session as admin.
2. Switch to root by typing su - and providing the root password.
   
   
3. Create a new folder under root. 
       mkdir cert


4. Create the certificate configuration file and use 'Insert' key to update cfg file.
       cd cert
  vi hcxcert.cfg


5. Copy and paste the below into this hcxcert.cfg file and customize everything highlighted in RED as per your environment details.
   
   NOTE: HCX default certificate Key Size is 4096 and if required you can use 'default_bits = 4096' in the below cfg file. 
   In the below example , we have used Key Size as 2048 > 'default_bits = 2048'
    
   

   [ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

   [ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:HCX_Manager_FQDN, IP:HCX_IP

   [ req_distinguished_name ]
countryName = IN
stateOrProvinceName = KA
localityName = Blr
0.organizationName = VMware
organizationalUnitName = VCF
commonName = HCX_Manager_FQDN

   

6. Save the file: Press "Esc" then type ":wq!" and press "Enter"
   
   
7. Generate CSR request and key by running below command:
   

   openssl req -new -nodes -out hcxcert.csr -keyout hcxcert.key -config hcxcert.cfg

    

8. Copy the contents of the CSR in order to submit to the CA [Certificate Authority]. Open the CSR file using ‘cat hcxcert.csr’ on the HCX SSH session.
   

   root@hcx [ ~/cert ]# cat hcxcert.csr
   -----BEGIN CERTIFICATE REQUEST-----
   <...>
   -----END CERTIFICATE REQUEST-----

    

9. Provide the hcxcert.csr to your Certificate Authority [CA] to generate a Custom SSL Certificate. Copy content of "hcxcert.key" to a notepad as you will need it later on point 9.
10. Once you have the certificate from CA, make sure if has all the required certificate chain.Validate the certificate chain using any certificate checking resource.  One recommended resource is KeyCDN Certificate Checker.
11. If the certificate doesn't have all the root and intermediate certificate, then chain the certificate correctly using the format Leaf/Server->Intermediate->Root.
12. Follow Updating the Local Server Certificate on an HCX Manager to manually update the certificate on HCX Manager.
13. Refresh your browser and validate that the HCX Hybridity 443 UI is now showing a Valid Trusted CA Certificate.