• You are importing a brownfield vCenter into VCF 9.
• NSX is deployed and has CA signed certificate with wildcard in the CN (Common Name) field.
• The import fails at the prechecks for one or all of the NSX managers with error:

NSX Manager Node certificate CN or SANs are not valid for <manager-IP>

Replace the NSX Manager Node certificate with a valid certificate where the hostname matches the CN name or is specified in the SAN field. Please refer the Certificates section in NSX Admin Guide for more details.

VCF 9

VCF 9.0 SDDC import has an incorrect validation for wildcard certificates and leads to the import failing.

This issue is resolved in VCF 9.0.1 SDDC manager, available at Broadcom downloads.

Whereby wildcard certificates used on NSX managers are imported correctly.

If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Workaround:

Replace the NSX manager API and cluster certificates, with certificates which have the hostname as the CN or the hostname is in the SAN field and not using a wildcard.

There is a script in the below KB which can be used to generate CA certificates from the vCenter VMCA:

Scripted process to replace expired or self-signed VMware NSX Manager Certificates with VMCA-Signed Certificates

Once the certificates are replaced with certificates which conform to the SDDC manager requirements, try the import option again.

Please review the following KB for details on supported SDDC certificates:

Replacing SDDC manager certificates with custom certs failed with " Could not resolve the hostname"