You can now use a built-in trusted certificate authority (CA) bundle for the TLS Inspection chain of trust to support advanced security applications such as IDS/IPS, URL filtering, malware, and granular App ID.

You can use the built-in CA bundle, default_trusted_public_ca_bundle, internally for the TLS inspection and decryption for gateway firewalls.

For external services, TLS Proxy requires a configured trusted CA bundle to validate the certificate that any external service presents to it. You can configure the External_Decryption_Profile.trusted_ca_bundles with one or more CA bundles where each bundle is a list of certificates. You must configure at least one CA bundle. Typically, external services use well known CAs such as Verisign and DigiCert. So, for ease of configuration, NSX includes a built-in default_trusted_public_ca_bundle that contains a list of widely used CA certs, similar to how operating systems come pre-installed with popular CA certs. You can update this bundle or you can create your own CA bundle and use it instead.

You can perform the following tasks in NSX. You can find Trusted CA Bundles by selecting System > Certificates > Trusted CA Bundle.
  • Validate TLS inspection and decryption using the default trusted CA bundle.
  • View all certificates in the CA bundle including filtering basic details using the View All Certificates button.
  • Search for expired, expiring, valid, used and unused CA bundles using the View All Certificates button.
  • Edit CA bundle display name and add or remove certificates from the bundle.
  • Export a CA bundle for inclusion on other devices.
  • Copy the CA bundle path locally.
  • Import a new trusted CA bundle using the Import CA Bundle button.