Generate a Certificate Signing Request (CSR):

1. Log in to the NSX Manager as an administrator.
2. Navigate to System > Certificates > Certificates.
3. Click Generate CSR and complete the required details:
   
   
   • Common Name (CN): NSX VIP or node FQDN.
   • Subject Alternative Names (SAN):
     Include the VIP FQDN/IP and all NSX Manager node FQDNs/IPs.
   • Key Size: 2048 or higher.
   
   
   
4. Download the CSR PEM file.

Obtain a CA-Signed Certificate:

1. Submit the CSR to your internal or external Certificate Authority (CA).

2. Ensure the issued certificate includes:

   • All SAN entries for the NSX VIP and Manager nodes.

   • The full certificate chain (Root, Intermediate (Only if provided by the CA), and CA certificates).

Import the CA-Signed Certificate:

1. Navigate to System > Certificates > CSR > Select the respective CSR

2. Click Import Certificate for CSR.

3. Make sure to disable the Service Certificate toggle button
   Note: NSX service certificates are user-facing for services such as load balancer, VPN, and TLS Inspection.

   • Update the signed certificate file.

   • The full CA chain (if available). 

     
     -----BEGIN CERTIFICATE-----
(Leaf certificate)
Issued To: myserver.company.com
Issued By: Intermediate CA 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
Issued To: Intermediate CA 1             NOTE: The intermediate CA certificate may be absent if the NSX Manager Certificate was signed directly by the Root CA
Issued By: Root CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
Issued To: Root CA
Issued By: Root CA (self-signed)
-----END CERTIFICATE-----

     NOTE: ALL the certificates must be in the same certificate file in the order above. Many CA tools generate them in individual files. These must be concatenated without extra white space.
     
     

     

4. Confirm that all the certificates are as notated above.

5. Confirm that the imported certificate appears in the list with the correct Subject, Issuer, and Expiration Date.

Apply the New Certificate:

Applying a single certificate to all NSX Manager nodes and the MGMT_CLUSTER VIP is only possible if the SAN entries in the CSR include all nodes and the VIP.

• Apply the imported certificate to each NSX Manager node individually to ensure the API service on each node uses the new certificate.

  • Navigate to System > Certificates, select the node-specific certificate, click Apply Certificate, and save.
    
    
    

• After applying the certificate to all nodes, apply the same certificate to the MGMT_CLUSTER (VIP) service so that the cluster virtual IP presents the CA-signed certificate.
  

• Wait for the services to restart and verify that the NSX Manager UI and API are accessible using the new certificate.

Refer to the related KB articles below if issues are encountered.

• Certificate Sharing Guidelines and minimum number of certificates needed for NSX 4.2.x and Above
• Generate a CSR for a Shared CA Certificate for APH, APH_TN, and CCP Services in NSX
• A certificate can only be applied to one node for service-type: CBM_CORFU.
• Troubleshooting NSX Manager SSL Certificates
• NSX CA Certificate Replacement fails with "certificate does not verify with supplied key"