NSX certificates with subject alternate name

Currently have VCF setup with NSX (both -V and -T) whose certificates were signed by our internal Microsoft CA.

When going to the web interface to manage things for NSX I get the cert warning in Chrome because there is no subject alternate name (SAN) attribute. I’m told this is because NSX doesn’t support creating a cert request with any additional fields.

My question: Can I generate a new csr request (via SDDC manager) for the NSX components (both v and t) then manually request a certificate from our internal Microsoft CA and use the attributes field on the web page to add in the missing SAN value?

Technically I know this will work but will NSX complain if I try to use SDDC manager to replace the certificates when then original csr doesn’t have a SAN attribute but my certificate does?

View Reddit by lumpylooView Source

Related Articles


  1. Yes.
    I created my own keys and CSRs off box. Then had my internal CA sign them.
    Four certificates in total for NSX-T (one for each of the managers and one for the cluster).
    Remember to include the full CA chain in the pem file, or you will get errors when importing.

  2. I’ve seen this done recently, and everything seems to have gone well. No complaints from NSX so far. We generated the CSRs via SDDC Manager GUI, generated certificates, placed them back in the same tarball, and then selected the “Upload & Install” button.

    You’ll want to follow the below article to ensure the tarball’s folder structure is accurate, and don’t forget to put the root CA cert into the top-level directory.

    * [https://docs.vmware.com/en/VMware-Cloud-Foundation/3.9/com.vmware.vcf.admin.doc_39/GUID-2A1E7307-84EA-4345-9518-198718E6A8A6.html](https://docs.vmware.com/en/VMware-Cloud-Foundation/3.9/com.vmware.vcf.admin.doc_39/GUID-2A1E7307-84EA-4345-9518-198718E6A8A6.html)

    On a similar note, if you happen to have vRealize Operations and are also replacing certs, you may find that the automated process via SDDC Manager does not replace the certificate for the cluster name, only the individual vROps nodes. We had to manually go into the NSX-V plugin via the MGMT vCenter, find the Load Balancer section, generate a CSR and replace it manually in order to have everything reflecting correct certs. The below blog has similar steps (not identical as an Application Profile would already exist)

    * [http://virtualsouthwest.com/blog/adding-a-chained-ssl-certificate-to-an-nsx-load-balancer-edge](http://virtualsouthwest.com/blog/adding-a-chained-ssl-certificate-to-an-nsx-load-balancer-edge)

Leave a Reply

Your email address will not be published. Required fields are marked *