After you install NSX, the manager nodes and cluster have self-signed certificates.

If you are using NSX Federation, additional certificates are set up to establish trust between the Local Managers and Global Manager. If you are using TLS Inspection, a certificate authority (CA) security certificate is required. For details on TLS Inspection and certificates, see TLS Inspection.

You can import certificates, create a certificate signing request (CSR), generate self-signed certificates, and import a certificate revocation list (CRL). To improve security, it is recommended that you replace the self-signed certificates with CA-signed certificates.