You can enable or disable the Extended Key Usage (EKU) Extension and the Certificate Revocation List Distribution Point (CDP) validation checks that NSX performs while importing a certificate.
Note: If you have CA-signed certificates without a CDP then you might have problems after upgrade. To avoid this problem you can turn CRL checking off or replace the certificates with certificates that include a CDP.
To set validation checks, use the following API with payload. For more information about the API, see the NSX API Guide.
PUT https://<manager>/api/v1/global-configs/SecurityGlobalConfig { "crl_checking_enabled": false, "ca_signed_only": false, "eku_checking_enabled":false, "resource_type":"SecurityGlobalConfig", "revision": 0 }
Where:
- crl_checking_enabled: Enabled by default to check CDP specified in the imported CA-signed certificate. Support includes HTTP based CRL-DP only. File or LDAP-based options are not supported.
- ca_signed_only: Disabled by default. It allows checks signed by CA only.
-
eku_checking_enabled: Disabled by default. It checks for EKU Extension in the imported certificate.
- revision: The current revision of the resource that must be included in a request. To obtain the value of this parameter issue a GET operation.