Generate an NSX self-signed certificate including Subject Alternative Name (SAN).

search cancel

Generate an NSX self-signed certificate including Subject Alternative Name (SAN).

book

Article ID: 423822

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Steps to generate an NSX self-signed certificates which includes a Subject Alternative Name (SAN) details.

Environment

VMware NSX

Resolution

NSX versions 4.2.1 and above

On NSX UI > System > Certificates > Generate > Self Signed Certificate
Include the Subject Alternative Name, DNS and IP as desired.

NSX versions prior to 4.2.1

The NSX API must be used as the UI does not have the option to include a SAN.

1) Create a Certificate Signing Request with the Subject Alternate details:

POST /api/v1/trust-management/csrs-extended

{
"display_name": "API/VIP Certificate",
"subject": {
"attributes": [
{
"key": "CN",
"value": "manager"
},
{
"key": "O",
"value": "VMware"
},
{
"key": "OU",
"value": "NSX"
},
{
"key": "C",
"value": "US"
},
{
"key": "ST",
"value": "CA"
},
{
"key": "L",
"value": "PA"
}
]
},
"key_size": "2048",
"algorithm": "RSA",
"extensions": {
"subject_alt_names": {
"dns_names": [
"manager.example.com"
]
}
}
}
Note: If IP addresses also need to be included in the SAN information of the certificate, then the "ip_addresses" section needs to be added under "subject_alt_names"

"extensions": {
"subject_alt_names": {
"dns_names": [
"manager.example.com"
],
"ip_addresses": [
"<IP_address>"
]

2) Get the ID of the CSR created in Step 1

GET /api/v1/trust-management/csrs/

3) The certificate can then be applied per the standard procedure, see Replace Certificates in the Admin Guide.

POST /api/v1/trust-management/csrs/<CSR ID from step 2>?action=self_sign&days_valid=<period of days>

Feedback

thumb_up Yes

thumb_down No