You can create a self-signed service or non-service certificate. However, using a self-signed certificate is less secure than using a trusted certificate.

When you use a self-signed certificate the client user receives a warning message such as, Invalid Security Certificate. The client user must then accept the self-signed certificate when first connecting to the server in order to proceed. Allowing client users to select this option provides reduced security than other authorization methods.


Verify that a CSR is available. See Create a Certificate Signing Request File.


  1. With admin privileges, log in to NSX Manager.
  2. Select System > Certificates.
  3. Click the CSRs tab.
  4. From your selected CSR, click Available actions and select Self Sign Certificate for CSR.
    Note: If you have a self signed CA CSR, NSX Manager always creates a CA CSR.
  5. Enter the number of days the self-signed certificate is valid.
    The default is 825 days. Even if you change this value for previously generated self-signed certificate, the default value is displayed every time you generate a new certificate.
  6. Choose your Service Certificate type.
    1. Toggle the Service Certificate button to Yes to use this certificate for services such as load balancer, VPN, or TLS Inspection. If you are creating a self-signed CA certificate, Yes is the only choice.
    2. Toggle the Service Certificate button to No to use this certificate with NSX Manager appliance nodes.
  7. Click Save.


The self-signed certificate appears in the Certificates tab.