You can import a certificate with a private key to replace the default self-signed certificate, after activation.

You can import self-signed or CA-signed certificates for platform or services using this procedure. Note that a CSR generated on NSX Manager and which is self-signed cannot be used as a service certificate, such as the Load Balancer service. If you want to import a CA certificate for the Load Balancer service, see Import a CA Certificate.


  • Verify that a certificate is available.
  • The server certificate must contain the Basic Constraints extension basicConstraints = cA:FALSE.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select System > Certificates.
  3. Select Import > Import Certificate and enter the certificate details.
    Option Description
    Name Assign a name to the certificate.
    Certificate Contents Browse to the certificate file on your computer and add the file. The certificate must not be encrypted. If it is a CA-signed certificate, be sure to include the whole chain in this order: certificate - intermediate - root.
    Private Key Browse to the private key file on your computer and add the file. This is an optional field if imported certificate is based on NSX Manager generated CSR as a private key already exists on the NSX Manager appliance.
    Passphrase Add a passphrase for this certificate if it is encrypted. In this release, this field is not used because encrypted certificate is not supported.
    Description Enter a description of what is included in this certificate.
    Service Certificate Set to Yes to use this certificate for services such as a load balancer and VPN. Set to No if this certificate is for the NSX Manager nodes.
  4. Click Import.