Certificate signing request (CSR) is an encrypted text that contains specific information such as, organization name, common name, locality, and country. You send the CSR file to a certificate authority (CA) to apply for a digital identity certificate.
By default, the NSX CSR generation UI and API do not support the SAN field. To create a CSR with SAN, you can use an experimental API, /api/v1/trust-management/csrs-extended. For more information, see the NSX API Guide.
- With admin privileges, log in to NSX Manager.
- Select .
- Click the CSRs tab.
- Click Generate CSR and select Generate CSR or Generate CA CSR from the dropdown menu.
- Complete the file details.
Option Description Common Name
Enter the fully qualified domain name (FQDN) of your server.
For example, test.vmware.com.
Name Assign a name for your certificate. Organization Unit
Enter the department in your organization that is handling this certificate
For example, IT department.
Enter your organization name with applicable suffixes.
For example, VMware Inc.
Add the city in which your organization is located.
For example, Palo Alto.
Add the state in which your organization is located.
For example, California.
Add your organization location.
For example, United States (US).
Set the encryption algorithm for your certificate.
- RSA encryption - used for digital signatures and encryption of the message.
- ECDSA (Elliptic Curve Digital Signature Algorithm) encryption - used for EAL4+ compliance. The performance of this algorithm is more efficient than RSA algorithm.
Key SizeSet the key bits size of the encryption algorithm.
- For RSA, the default value, 2048, is adequate unless you specifically need a different key size. Other supported sizes are 3072 and 4096. Many CAs require a minimum value of 2048. Larger key sizes are more secure but have a greater impact on performance.
- ECDSA typically uses the Advanced Encryption Standard with 256 bit key in Galois/Counter mode (AES 256 GCM). Other key sizes include 384 and 521 bits.
Description Enter specific details to help you identify this certificate at a later date.
- Click Save.
A custom CSR appears as a link.
- Select the CSR then click Actions to select one of the following options:
- Import Certificate for CSR
- Self Sign Certificate for CSR
- Download CSR PEM
If you selected Download CSR PEM, you can save the CSR PEM file for your records and CA submission. Use the contents of the CSR file to submit a certificate request to the CA in accordance with the CA enrollment process. For the other two options, refer to topics Import a Certificate for a CSR and Create a Self-Signed Certificate.
The CA creates a server certificate based on the information in the CSR file, signs it with its private key, and sends you the certificate. The CA also sends you a root CA certificate.