• When replacing the default SSL certificates for NSX Manager (specifically for the LOCAL_MANAGER service on ports 1234 and 1236) with CA-signed certificates. the process fails with a "General error" (error_code 100). This often occurs during remediation of security scans (e.g., Nessus) flagging "SSL Certificate Cannot Be Trusted."

The following error is observed in the API response:

{
    "module_name" : "common-services",
    "error_message" : "General error has occurred.",
    "details" : "Handler dispatch failed; nested exception is java.lang.IllegalAccessError: class com.vmware.nsx.management.truststore.service.impl.TrustStoreServiceImpl... cannot access class sun.security.validator.ValidatorException",
    "error_code" : 100
}

VMware NSX

1. Check if Replacement is Needed

• Non-Federated Setup: If NSX Federation is not in use, the LOCAL_MANAGER certificate is not required.

• Recommendation: Keep the default self-signed certificate to avoid EKU-related issues and maintain readiness for future Federation use.

• Federated Setup: A CA-signed certificate is required and must include the correct EKU.
  
  

2. Certificate Requirements

If replacing the certificate (e.g., for security compliance), ensure it includes:

• Mandatory: Client Authentication (OID 1.3.6.1.5.5.7.3.2)

• Recommended: Both Client Authentication and Server Authentication (especially if reused for UI/API)

• CA Template Guidance: Do not use the "Web Server" only template. Use a template that includes "Client Authentication."
  
  

3. Verify Before Applying

Use the following OpenSSL command to check EKU:

• Pass: Shows both TLS Web Client Authentication and TLS Web Server Authentication

• Fail: Shows only TLS Web Server Authentication (certificate must be re-issued)