When the NSX Application Platform is deployed, a default self-signed certificate is used. You can replace that default certificate with a CA-signed certificate and assign it to the NSX Application Platform.

You can replace the default self-signed certificate with either a CA-signed certificate with a private key or a CA-signed certificate with a CSR. When the certificate is being imported, all the services used by the NSX Application Platform become unavailable.

Prerequisites

  • You must have Enterprise Admin account privileges.
  • Ensure that no active alarms exist on the NSX Application Platform.
  • Verify that the NSX Data Center license in effect meets the minimum required.
  • Verify that you have a valid certificate with a private key or a certificate with a certificate signing request (CSR). You must generate the CSR using the NSX Manager UI, as described in the following steps.

Procedure

  1. From your browser, log in with Enterprise Admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > NSX Application Platform.
  3. In the bottom-left corner of the NSX Application Platform section, click Actions and select Manage CA Certificate from the drop-down menu.
  4. If you are importing a CA-signed certificate with a private key, use the following steps.
    1. In the Certificate with Private Key tab, click Import.
    2. Enter a name for the certificate.
    3. Enter the contents of the certificate in the Certificate Contents text box. Click Browse, navigate to the location of the CA-signed certificate, and copy its contents.
    4. Enter the private key in the Private key text box, by clicking Browse and navigating to where you stored the private key. Copy its contents in the Private key text box.
    5. Click Import.
      The CA-signed certificate is imported and assigned to the NSX Application Platform.
  5. If you are importing a CA-signed certificate with CSR, use the following steps.
    1. In the Certificate with CSR tab, click Generate CSR.
    2. In the Generate CSR dialog box, enter the required information and click Generate.
      If for some reason you want to regenerate the CSR, click the delete icon next to the name of the existing CSR and click Generate CSR again.
    3. After the CSR is generated, click Download CSR PEM and submit the generated CSR form to a Certificate Authority (CA).
      The CA must sign and return a full chain certificate.
    4. After you receive the CA-signed digital identity full chain certificate, click Import in the Certificate with CSR section of the Manage CA Certificate dialog box.
    5. Click Import.
      The CA-signed certificate with CSR is imported and assigned to the NSX Application Platform.
  6. If you want to use another CA-signed certificate, click Replace.
  7. If you want to delete the CA-signed certificate, click the delete icon (trash can). When prompted, confirm that you want the CA-signed certificate deleted.
    A new default self-signed certificate is assigned by the system.