Generate a CSR for a Shared CA Certificate for APH, APH_TN, and CCP Services in NSX
Article ID: 415479
Updated On:
Products
Issue/Introduction
- APH, APH_TN, and CCP services on the NSX Manager node can share the same CA-signed certificate
- This article explains how to generate a Certificate Signing Request (CSR) for the APH certificate in NSX using OpenSSL.
Environment
VMware NSX 4.2
Resolution
1. Create an OpenSSL config for the CSR
Using the vi editor, create the OpenSSL configuration file for the CSR, for example, named openssl-aph.cnf with the following content.
[req]default_bits = 2048distinguished_name = req_distinguished_nameencrypt_key = noprompt = nostring_mask = nombstrreq_extensions = v3_req
[ req_distinguished_name ]countryName = USstateOrProvinceName = CalifornialocalityName = Palo Alto0.organizationName = VMware, Inc.emailAddress = [email protected]commonName = VMware-NSX-ApplProxyHub-CCP
[ v3_req ]basicConstraints = CA:FALSEextendedKeyUsage = serverAuth, clientAuthsubjectKeyIdentifier = hashsubjectAltName = @alt_names
[ alt_names ]DNS.1 = nsx-mgr01.local
Note: Please update the fields in this configuration fileāsuch as countryName, stateOrProvinceName, localityName, organizationName, emailAddress, and DNS.1 to match your environment and certificate requirements before generating the CSR.
2. Create the CSR file with the OpenSSL command belowopenssl req -new -nodes \ -newkey rsa:2048 \ -keyout nsx-mgr01.key \ -out nsx-mgr01.csr \ -config openssl-aph.cnf3. Get the CSR signed by a CA and apply the signed certificate
For more information on the certificate replacement process, please refer to the official documentation:
Replace Certificates Through NSX Manager
Apply Certificate to a Service
How to Replace NSX Manager Certificates Using CA-Signed Certificates in NSX 4.x
Additional Information
If this KB article does not resolve the issue, raise a support ticket with Broadcom support selecting NSX as the product.
Handling Log Bundles for offline review with Broadcom support.
Feedback
