• The use of self signed certificates for the APH_TN, APH_AR (ApplProxyHub), CBM_CORFU (corfu), or CCP (nsx-controller) service types may be flagged as a vulnerability by Qualys after performing a security scan on an NSX Manager. 
• Ports 1234, 1235, 1236 and 9000 may be mentioned specifically in the vulnerability report.
• The vulnerabilities may be only be flagged after an upgrade to NSX 4.2.x.

VMware NSX

• Despite the fact that data flowing through NSX Manager ports 1234, 1235, 1236 and 9000 is internal to Broadcom/VMware and the other endpoint is either another Manager or an NSX transport node, the certificates that are used may be flagged as vulnerabilities since they are self-signed, instead of being CA-signed. 

• There are two options to resolve this issue. 
  1. Ignore the security "vulnerability" as seen from the Qualys scan output, as these are internal communications made between the NSX Manager and vSphere/NSX components. 
  2. Replace the self-signed certificates with CA-signed ones by following the instructions found within the below documentation: 
     • For NSX-T 3.2.x, follow the instructions found through this link: Replace Certificates

     • For NSX-T 4.1.x, follow the instructions found through this link: Replace Certificates
     • For NSX-T 4.2.x, follow the instructions found through this link to Replace Certificates Through API
     • For NSX-T 4.2.x, follow the instructions found through this link to Replace Certificates Through NSX Manager