The Kafka messaging client self-signed certificate is used by the NSX Intelligence common agent that is running in the NSX Manager unified appliance. It only supports RSA encryption. You can replace that default self-signed certificate with a CA-signed certificate.

You can replace the default self-signed certificate with either a CA-signed certificate with a private key or a CA-signed certificate with a CSR. When the certificate is being imported, the Kafka messaging service used by the NSX Manager unified appliance becomes unavailable.


  • You must have Enterprise Admin account privileges.
  • Ensure that no active alarms exist on the NSX Application Platform.
  • Verify that you have a valid certificate with a private key or a certificate with a certificate signing request (CSR). You must generate the CSR using the NSX Manager UI.


  1. Log into the NSX Manager appliance as with an Enterprise Admin user account.
  2. Import the CA-signed certificate on the NSX Manager by running the following command at the system command prompt.
    curl -v -H "Content-Type: application/json" -ku 'username:password' 'https://<manager-ip-aeddress>/api/v1/trust-management/certificates?action=import' -d 
         "pem_encoded": "xxx",
         "private_key": "yyyy"
  3. Apply the CA-signed certificate as the Kafka messaging client certificate by running the following command.
    curl -v -H "Content-Type: application/json" -ku 'username:password' 'https://<manager-ip>/api/v1/trust-management/certificates/<certificate-id>?action=apply_certificate&service_type=K8S_MSG_CLIENT'