After you install NSX, the manager nodes and cluster have self-signed certificates.
If you are using NSX Federation, additional certificates are set up to establish trust between the Local Managers and Global Manager. If you are using TLS Inspection, a certificate authority (CA) security certificate is required. For details on TLS Inspection and certificates, see TLS Inspection.
To view details of all the certificates that are installed on the system, navigate to .
You can perform the following actions for certificates:
- Filter certificates based on their basic parameters (such as name or path) or based on predefined filters (such as expired certificates or used certificates)
- Import certificates
- Create a certificate signing request (CSR)
- Generate self-signed certificates
- Replace self-signed certificates
- Apply certificates to services
- Delete unused certificates
- Import a certificate revocation list (CRL)
To improve the security in the system, it is recommended that you replace the self-signed certificates with CA-signed certificates.
Starting with NSX 4.2, the Certificates page also displays a dashboard that provides a quick glance of total certificates, number of expired certificates, and total used and unused certificates in the system. Also, the following certificates have been consolidated:
- The APH, APH_TN, and CCP certificates have been consolidated into one.
- The API services and MGMT_CLUSTER (aka VIP) certificates have been consolidated into one.
To replace a consolidated certificate, you must follow certain considerations. For more information about these considerations, see Replace Certificates Through NSX Manager.
