Neutron client certificate based authentication to NSX Manager is supported.

Client certificate-based authentication enables the Neutron plugin to login as the principal identity with the Enterprise Administrator role. Other principal identities are not able to edit resources created by the neutron principal identity, thus protecting from accidental errors such as the deletion of a logical router associated to a neutron router. See "View Principal Identity" in NSX-T for Data Center Administration Guide for more information.


  1. To enable client certificate authentication, define the following in the nsx.ini file:
    • nsx_use_client_auth = True
    • nsx_client_cert_storage = nsx-db
    • nsx_client_cert_file = <file to store certificate and private key>
  2. Restart Neutron to pick-up the changes in the nsx.ini file, by running the command: service neutron-server restart.
    Verify that the Neutron Server is using both the neutron.conf and nsx.ini files by running the following command:
    • ps -aux |grep neutron
    Verify that nsx.ini and neutron.conf are present in the output. For example:
    ps -aux |grep neutron
    stack     7688  0.0  1.8 311332 148904 ?       Ss   Nov26  21:10
     /usr/bin/python /usr/local/bin/neutron-server --config-file 
    /etc/neutron/neutron.conf --config-file