Replace NSX Manager SSL Certificate

This process was used to replace the self-signed certificate on NSX Manager 6.2 with a Certificate Authority (CA) signed certificate.

I have a Microsoft Windows 2012 R2 Root CA already in-place.

You need to create a customised vSphere 6.0 CA template prior to submitting the Certificate Signing Request (CSR) created on the NSX Manager. Follow this VMware KB article to create the template.

Log into your NSX Manager with the Admin username and password.

Click the Manage Appliance Settings tab.

Under Settings, click SSL Certificates.

Click the Generate CSR tab and populate with your information. My CSR is shown below.


Click the OK button and it will generate your CSR.

You can now download your CSR, click the Download CSR tab.

Open the downloaded CSR in Notepad.

Grab the entire text including the ‘—‘ at the start and end.


Now submit the CSR to your CA. In my case the CA is installed on my lab Domain Controller. The URL to hit is: http://labdc01.lab.local/certsrv

I select Request a Certificate, followed by Advanced Certificate Request. Make sure you select the vSphere 6.0 Template.


Now click download the certificate, click the Base 64 Encoded option and click the Download Certificate Chain option.

You also want to download the Root CA certificate.

You need to combine both of these certificates into one to upload into NSX Manager as a .CER file. Make sure any Intermediate CAs are included (if required).

You can merge the files by running this from the command prompt:

copy nsxlab01.cer+ca.cer FullChain.cer


Go back to the NSX Manager SSL Certificates page click the Import tab.

Click Choose File and browse to your FullChain.cer certificate file and click Import. If your certificates are correct it will populate the issuer details as shown below.


Reboot your NSX Manager appliance for the changes to be applied.

Once the reboot is complete hit the URL for your NSX Manager and confirm that your certificate is now trusted.


  1. […] Click on the Manage tab. You want to configure your time zone (under time settings). Also in production I would deploy a CA signed certificate, but have not documented this here as it is not in the exam blue print – but I will swing back and do this soon and update the blog (21/09/2016 which I have done and here is the blog). […]



  2. […] How to Replace NSX Manager Self-Signed Certificate with CA Signed Certificate […]



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: