There are three categories of self-signed certificates in NSX.
- Platform Certificates
- NSX Services Certificates
- Principal Identity Certificates
Refer to the following sections for details on each certificate category. Other types of certificates might be present in NSX. Refer to that component or application documentation for details on their certificates.
Platform Certificates
After you install NSX, navigate to to view the platform certificates created by the system. By default, these self-signed X.509 RSA 2048/SHA256 certificates get used for internal communication within NSX and for external authentication when you use NSX Manager to access the APIs or the UI.
The internal certificates are not viewable or editable.
If VMware Cloud Foundation™ (VCF) was used to deploy NSX, the default NSX API and Cluster certificates get replaced with CA certificates signed by the VMware Certificate Authority (VMCA) from vCenter. The API and Cluster certificates might still display in the certificate list, but are not used. Replace the CA-signed certificates using the procedure in the VCF Administration Guide. After you perform the replacement, your NSX Manager stores in the UI contain the API and Cluster certificates, the VMCA CA certificates, and the signed certificates by the third-party organization. From then on, the NSX Manager uses the signed certificate from your organization.
Naming Convention in NSX Manager | Purpose | Replaceable? | Default Validity |
---|---|---|---|
API (previously known as tomcat) | This serves as a server certificate for the API/UI client reaching the NSX Manager HTTPS port (port 443). | Yes. See Replace Certificates Through API | 825 days |
Cluster (previously known as mp-cluster) | This certificate serves as a server certificate for API/UI client reaching the HTTPS port of the cluster VIP (port 443) when a VIP is used for an NSX Manager cluster. | Yes. See Replace Certificates Through API | 825 days |
Other certificates | Certificates specifically for other purposes including NSX Federation, Cluster Boot Manager (CBM), and Central Control Plane (CCP). | See Certificates for NSX and NSX Federation for details on self-signed certificates auto-configured for NSX and NSX Federation environments. |
Varies |
NSX Service Certificates
NSX service certificates are user-facing for services such as load balancer, VPN, and TLS Inspection. The policy API manages service certificates. Non-service certificates are used by the platform for tasks such as cluster management. The management plane (MP) or truststore APIs manage non-service certificates.
When adding service certificates using the policy API, the certificate gets sent to the MP/truststore API, but not with the relationship reversed.
NSX service certificates cannot be self signed. You must import them. See Importing Certificates for instructions.
You can generate a root certificate authority (CA) certificate and a private key based on RSA. CA certificates are able to sign other certificates.
You can use a certificate signing request (CSR) as an NSX service certificate if it is signed by a CA (a local CA or a public CA like Verisign). Once the CSR is signed, you can import that signed certificate into NSX Manager. A CSR can be generated on NSX Manager or outside of NSX Manager. The Service Certificate flag is deactivated for CSRs generated on NSX Manager. Therefore, the signed CSRs cannot be used as service certificates, but only as platform certificates.
Platform and NSX service certificates are stored separately within the system and certificates imported as NSX service certificate cannot be used for platform or the reverse.
Principal Identity (PI) Certificates
API requests use PI certificates. PI certificates are one of the NSX Manager authentication mechanisms. Any NSX Manager client can create and use a PI certificate. It is the preferred approach for machine-to-machine communication.
PI for Cloud Management Platforms (CMP), such as Openstack, uses X.509 certificates that are uploaded when onboarding a CMP as a client. For information on assigning roles to Principal Identity and replacing PI certificates, see Add a Role Assignment or Principal Identity
PI for NSX Federation uses X.509 platform certificates for the Local Manager and Global Manager appliances. See Certificates for NSX and NSX Federation for details on self-signed certificates auto-configured for NSX Federation.