Security scanning tools (e.g., Qualys) detect the following SSL/TLS vulnerabilities on the NSX Manager appliance:

• SSL Certificate - Invalid Maximum Validity Date Detected

• SSL Certificate - Signature Verification Failed Vulnerability

• SSL Certificate - Self-Signed Certificate

• VMware NSX

• VMware NSX-T Data Center

The NSX Manager appliance utilizes a default self-signed SSL certificate out-of-the-box. Security scanners natively flag these certificates as untrusted because they lack a verifiable chain of trust to a recognized root Certificate Authority (CA) and utilize default validity parameters that trigger scanner warnings.

To resolve these SSL/TLS vulnerabilities, the default self-signed certificate must be replaced with a certificate signed by a Trusted Certificate Authority (CA).

1. Generate a Certificate Signing Request (CSR) and obtain a CA-signed certificate from your organization's trusted Certificate Authority.

2. Import the CA-signed certificate and the full certificate chain into the NSX Manager.

3. Apply the new certificate to the NSX Manager cluster/nodes.

For the exact API payload and steps to replace the certificate, refer to the official documentation: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-1/administration-guide/certificates/importing-certificates/replace-certificates-through-api.html

Ensure that the newly minted CA-signed certificate complies with your organization's maximum validity date policies to clear the "Invalid Maximum Validity Date Detected" flag.