Certificate Alarm Occurs in NSX Manager When ClientAuth Is Missing in Extended Key Usage
search cancel

Certificate Alarm Occurs in NSX Manager When ClientAuth Is Missing in Extended Key Usage

book

Article ID: 423955

calendar_today

Updated On:

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

This alarm is raised when a user provided certificate is found in use as an Agent client certificate on an onboarded NSX Manager Site that does not have ClientAuth in the ExtendedKeyUsage field.

Environment

SSP 5.1.1

Cause

This alarm will be seen when a user provided certificate that is missing ClientAuth in the ExtendedKeyUsage field is being used for the communication between SSP and the NSX Manager Site. The current ExtendedKeyUsage on the certificate can be seen by using openssl.

From a terminal, run

"openssl x509 -in <certificate_file> -noout -text"

In the output, under x509v3 extensions, there is the property X509v3 Extended Key Usage. If serverAuth is in use the value will be something like "TLS Web Server Authentication", but if clientAuth is set, then the value will be something similar to "TLS Web Client Authentication".

In the case where serverAuth is being used, a new certificate will need to be generated.

Resolution

To resolve the alarm a new certificate should be generated with ClientAuth in the EKU field for the certificate the alarm was raised for.

Additional Information

From a terminal, run "openssl x509 -in <certificate_file> -noout -text". In the output, under x509v3 extensions, there is the property X509v3 Extended Key Usage

Powered by Wolken Software