After completing authentication through VMware Identity Manager (vIDM) and being redirected back to NSX, users are unexpectedly prompted to select a client certificate in their browser. This prompt interferes with normal access and cannot simply be dismissed by selecting the displayed smart card certificate.

Ex: 

• Users see a certificate selection prompt after vIDM authentication completes.
• Selecting a smart card certificate causes an authentication error — there is no NSX principal identity associated with the smart card cert.
• Users must cancel the prompt to proceed, which can be confusing and may block access if the browser enforces a selection.

• All supported NSX versions
• SSP 5.x
• NSX ingress/VIP certificate and smart card certificates share the same Root CA

The issue originates from how SSP creates a principal identity for NSX during integration. SSP uses the ingress/VIP certificate as the authentication certificate for this principal identity. Because this ingress certificate is signed by the Root CA, NSX advertises that CA as an acceptable authority for client certificate authentication.

When users' smart card certificates are also signed by that same Root CA, browsers interpret the server's CA advertisement as a request for a matching client certificate and prompt accordingly.

There is no single mandatory fix. The following approaches address the issue at different levels of the stack — choose the option that best fits your environment's security policy and operational constraints.

Option 1 — Use a Different CA for Server Certificates (Recommended Where Feasible)

The cleanest long-term resolution is to ensure the NSX ingress/VIP certificate and the smart card certificates are signed by different CAs. When these two certificate chains are distinct, NSX will not advertise a CA that matches the smart card, and the browser will not prompt.

NOTE: This requires a change to PKI/CA configuration. Coordinate with your security or PKI team before making changes. This option may not be feasible in environments with a single unified Root CA.

Option 2 — Browser-Level Client Certificate Policy (Enterprise Managed)

Enterprise browsers can be configured to suppress the client certificate prompt for specific URLs. This approach does not require changes to the certificate infrastructure and can be deployed via group policy or MDM.

Chromium-Based Browsers (Google Chrome / Microsoft Edge)

Chrome and Edge prompt for a client certificate when a website requests mutual TLS authentication and one or more matching certificates are found in the operating system's certificate store.

Default browser behavior:

• If multiple valid certificates match the server's criteria, a selection dialog is shown.
• If only one valid certificate exists, Chrome may auto-select it, though a prompt is standard behavior.
• If no valid certificates are found, the connection may fail or the prompt may still appear.
• Chrome caches the selected certificate per session, which can make switching certificates difficult without restarting the browser.

Enterprise policy — AutoSelectCertificateForUrls

Administrators can configure the AutoSelectCertificateForUrls policy to automatically suppress the certificate prompt for specific URLs and, optionally, automatically select a designated certificate.

Example registry policy value (Windows):

Key:   HKLM\Software\Policies\Google\Chrome\AutoSelectCertificateForUrls

Value: {"pattern":"https://[*.]nsx.example.com","filter":{}}

Setting an empty filter ("filter":{}) suppresses the prompt without selecting a certificate. A more specific filter can target a certificate by issuer or subject.

NOTE: For Microsoft Edge, the equivalent policy is AutoSelectCertificateForUrls under the Edge policy namespace. Refer to Microsoft documentation for the correct registry path.

Mozilla Firefox

Firefox has a similar configuration option. In enterprise deployments, security.default_personal_cert can be set to Select Automatically to suppress the dialog. Additionally, Firefox Enterprise Policies support the Certificates policy object for more granular control.

Safari / macOS

Safari uses the macOS Keychain and does not support equivalent enterprise URL-level certificate selection policies. In this case, Option 1 (separate CA chains) is the preferred resolution.

Option 3 — Restrict the NSX Principal Identity Certificate

If SSP configuration allows, review how the NSX principal identity certificate is assigned. If possible, configure the SSP-NSX integration to use a certificate that is not signed by the same Root CA as end-user smart card certificates. This limits which CAs NSX advertises for client authentication.

NOTE: This requires review of the SSP integration configuration and may not be supported in all SSP 5.x versions. Consult SSP documentation or VMware Support before attempting.