I am a big advocate of not using the default SSL certs on any VMware products and I prefer using Signed certs from my CA server on my lab components. I have my CA server running in Windows Server 2012.
Earlier in my lab I had replaced the vSphere (Esxi + vCenter) SSL certs and if you want to know how to do it, you can read them from below links:
1: Replacing Esxi SSL Certificates
2: Replacing vCenter Server SSL Certs
If you are like me and new to replacing SSL certs and looking for how to setup a CA server, you can read it from Here for a step by step installation/configuration of CA server.
1: Introduction to VMware NSX
2: Installing and Configuring NSX Manager
3: Deploying NSX Controllers
4: Preparing Esxi Hosts and Cluster
5: Configure VXLAN on the ESXi Hosts
6: Logical Switching
7: Distributed Logical Router Tidbits
8: Installing Distributed Logical Router
9: NSX Edge Services Gateway
10: Upgrade NSX Manager From 6.2 to 6.2.4
All right lets dive into lab and look into how to replace the default SSL certs of VMware NSX.
Before starting with certs replacement, we need to create a customized certificate template in CA server prior to submitting the Certificate Signing Request (CSR) created on the NSX Manager.
You can follow VMware KB-2112009 to learn how to create certificate template. I have already created mine when I replaced SSL certs in my vSphere 6 infrastructure.
1: Login to NSX manager with the admin user. At the top you can see the Red triangle sign which indicates that certificate is not a signed cert.
2: Go to Manage > SSL Certificates and click on Generate CSR
3: Populate the information needed to generate CSR and hit OK
4: Now you download the CSR by clicking on ‘Download CSR’ button.
Note: The download does not give you a .csr file but instead gives you a file with the type “File.”
5: Open the downloaded file in a notepad. It should look like below. Copy entire contents from this file including –Begin Certificate Request— and —End Certificate Request— line
6: Login to your CA server by browsing https://FQDN_or_IP/certsrv and click on “Request a certificate”
7: Click on advanced certificate request.
8: Paste the content which you copied in step 5 under Saved Request and select the correct Certificate Template and hit Submit.
9: Select Base 64 encoded and click on Download certificate chain
10: Right click on downloaded chain file and select open, then drill down to certificates directory and in right hand side you will see your cert.
Right click on the cert which corresponds to NSX and click on Export.
11: Select Base-64 encoded X.509 in Certificate Export Wizard and hit Next.
13: Save the file as .cer file on your computer.
14: Now we need to download CA Server root certificate. From the CA Server webpage click on home on right hand side upper corner and click on “Download a CA certificate” option.
15: Select Base 64 option and click on “Download CA certificate“
16: At this point you should have 2 .cer files
We need to join these file to create a single .cer file. You can use below command to do that
copy nsxmgr.cer+Root64.cer new.cer
17: Once you have the new.cer file, log back into the NSX Manager Web Interface and select Import and provide your new.cer file.
Browse to the location where you have stored your new.cer file and hit Import button
You should now see your new certificate and root certificate as show below. Also the NSX Web UI will display a message that appliance needs a reboot for new certs to take effect.
18: Reboot the NSX appliance. Once NSX manager is UP again, log back into the UI and you should see the certificate is now showing in green color. If its shows red eve after appliance reboot just refresh the page and you should immediately see red changing to green.
And that’s it. We have successfully replaced the default self-signed certificate of NSX manager with a signed certificate obtained from our Certificate Authority.
I hope this post is informational to you. Feel free to share this on social media if it is worth sharing. Be sociable