Replace NSX Manager SSL Certificate

This process was used to replace the self-signed certificate on NSX Manager 6.2 with a Certificate Authority (CA) signed certificate.

I have a Microsoft Windows 2012 R2 Root CA already in-place.

You need to create a customised vSphere 6.0 CA template prior to submitting the Certificate Signing Request (CSR) created on the NSX Manager. Follow this VMware KB article to create the template.

Log into your NSX Manager with the Admin username and password.

Click the Manage Appliance Settings tab.

Under Settings, click SSL Certificates.

Click the Generate CSR tab and populate with your information. My CSR is shown below.

Click the OK button and it will generate your CSR.

You can now download your CSR, click the Download CSR tab.

Open the downloaded CSR in Notepad.

Grab the entire text including the ‘—‘ at the start and end.

Now submit the CSR to your CA. In my case the CA is installed on my lab Domain Controller. The URL to hit is: http://labdc01.lab.local/certsrv

I select Request a Certificate, followed by Advanced Certificate Request. Make sure you select the vSphere 6.0 Template.

Now click download the certificate, click the Base 64 Encoded option and click the Download Certificate Chain option.

You also want to download the Root CA certificate.

You need to combine both of these certificates into one to upload into NSX Manager as a .CER file. Make sure any Intermediate CAs are included (if required).

You can merge the files by running this from the command prompt:

copy nsxlab01.cer+ca.cer FullChain.cer

Go back to the NSX Manager SSL Certificates page click the Import tab.

Click Choose File and browse to your FullChain.cer certificate file and click Import. If your certificates are correct it will populate the issuer details as shown below.

Reboot your NSX Manager appliance for the changes to be applied.

Once the reboot is complete hit the URL for your NSX Manager and confirm that your certificate is now trusted.