Certificate Sharing Guidelines and minimum number of certificates needed for NSX 4.2.x and Above
search cancel

Certificate Sharing Guidelines and minimum number of certificates needed for NSX 4.2.x and Above

book

Article ID: 413895

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • This article outlines the minimum number of CA-signed certificates required for a standard three-node NSX Manager cluster.

  • It also provides detailed guidance on which services support certificate sharing, and which require node-specific certificates.

 

 

Environment

VMware NSX 4.2.X

Resolution


In a standard three-node NSX Manager Cluster, the following certificates are required:

Service Quantity per NSX deployment Description Sharing Allowed
API & MGMT_CLUSTER(VIP)  1 One shared certificate for API on all 3 NSX Manager nodes and the Cluster Virtual IP (VIP). Yes, The API and cluster VIP certificate can be shared across all three NSX Manager nodes if the CA-signed certificate includes each node’s FQDN or IP address in the SAN (Subject Alternative Name) field, or if it uses a wildcard FQDN and the nodes have properly configured FQDNs resolvable via DNS.
APH / APH_TN / CCP 3 One shared certificate per NSX Manager node Yes, this certificate can be shared between the APH, APH_TN, and CCP services on the same node, but it cannot be shared across NSX Manager nodes.

For creating a custom CSR, refer to KB Generate a CSR for a Shared CA Certificate for APH, APH_TN, and CCP Services in NSX
CBM_CORFU 3 One certificate per NSX Manager node  No, these certificates must be unique per nsx manager node in the cluster and cannot be shared.
CBM_CLUSTER_MANAGER 3 One certificate per NSX Manager node 


For more information on the certificate replacement process, please refer to the official documentation: 

Replace Certificates Through NSX Manager
Apply Certificate to a Service
How to Replace NSX Manager Certificates Using CA-Signed Certificates in NSX 4.x

Additional Information

If this KB article do not resolve the issue, raise a support ticket with Broadcom support selecting NSX as the product. 

Handling Log Bundles for offline review with Broadcom support.

Powered by Wolken Software