Import a Self-signed or CA-signed Certificate

You can import a certificate with a private key to replace the default self-signed certificate, after activation.

You can import self-signed or CA-signed certificates for platform or services using this procedure. Note that a CSR generated on NSX Manager and which is self-signed cannot be used as a service certificate, such as the Load Balancer service. If you want to import a CA certificate for the Load Balancer service, see Import a CA Certificate.

Prerequisites

Verify that a certificate is available.
The server certificate must contain the Basic Constraints extension basicConstraints = cA:FALSE.

Procedure

From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
Select System > Certificates.

Select Import > Import Certificate and enter the certificate details.

Option	Description
Name	Assign a name to the certificate.
Certificate Contents	Browse to the certificate file on your computer and add the file. The certificate must not be encrypted. If it is a CA-signed certificate, be sure to include the whole chain in this order: certificate - intermediate - root.
Private Key	Browse to the private key file on your computer and add the file. This is an optional field if imported certificate is based on NSX Manager generated CSR as a private key already exists on the NSX Manager appliance.
Passphrase	Add a passphrase for this certificate if it is encrypted. In this release, this field is not used because encrypted certificate is not supported.
Description	Enter a description of what is included in this certificate.
Service Certificate	Set to Yes to use this certificate for services such as a load balancer and VPN. Set to No if this certificate is for the NSX Manager nodes.

Click Import.