Administrators require clarification on the Extended Key Usage (EKU) fields required for custom certificates applied to VMware NSX and vCenter Server. Incorrect EKU configurations lead to cluster synchronization faults, upgrade pre-check failures, and external storage (VASA) provider disconnects.

• VMware vCenter Server
• VMware NSX

The architectural requirements for certificate EKUs differ strictly between NSX Manager cluster nodes and the vCenter Server. Applying a unified certificate template across both product stacks without modifying the EKU extensions results in mutual TLS validation failures.

• NSX Manager Cluster (APH-TN) Certificates: Ensure the EKU field contains both Server Authentication (TLS Web Server Authentication) and Client Authentication (TLS Web Client Authentication). Missing flags or duplicate EKU entries will sever Management Plane node communication.

• vCenter Server Machine SSL Certificates: Ensure the EKU field is either completely Empty or contains ONLY Server Authentication. Client Authentication is not required for the primary Machine SSL certificate.

• ESXi Host Certificates: If the ESXi host must authenticate as a client to external services (e.g., a VASA Provider for vVols), the host certificate EKU MUST contain both Server and Client Authentication.

vSphere Certificate Requirements for Different Solution Paths

NSX Manager prechecks fail unable to parse certificate

vVol sync error failed to get endpoint