NSX Manager requires a signed certificate to authenticate the identity of the NSX Manager web service and encrypt information sent to the NSX Manager web server. The process entails generating a certificate signing request (CSR), getting it signed by a CA, and importing the signed SSL certificate into NSX Manager. As a security best practice, you should use the generate certificate option to generate a private key and public key, where the private key is saved to the NSX Manager.
To obtain the NSX Manager certificate, you can use NSX Manager's built-in CSR generator or you can use another tool such as OpenSSL.
A CSR generated using NSX Manager's built-in CSR generator cannot contain extended attributes such as subject alternate name (SAN). If you wish to include extended attributes, you must use another CSR generation tool. If you are using another tool such as OpenSSL to generate the CSR, the process is 1) generate the CSR, 2) have it signed, and 3) proceed to the section Convert the NSX Manager Certificate File to PKCS 12 Format.