Applying a new SSL certificate to your NSX Manager really couldn’t be easier and, as the NSX Manager is part of a wider, security orientated product, we might as well do things properly and apply one!
First of all, and if already not in place, we’ll need to create a new Microsoft CA Template for SSL in vSphere. To do this, please take a look at VMware KB article 2112009. The procedure itself is a simple one, and I make reference below to a vSphere 6.x SSL certificate template, so it’s worth pointing out. This template was created using the aforementioned VMware KB.
To replace the NSX Manager SSL certificate, and to cert against your CA of choice, simply follow the below process.
1. Login to NSX Manager and click Manage Appliance Settings.
2. Browse to Settings > SSL Certificates and click Generate CSR.
3. Complete the CSR and click OK.
4. Download the new CSR, open via text editor, and copy the CSR text.
5. Browse to your CA and click Request a certificate.
6. Click advanced certificate request.
7. Click Submit a certificate request….
8. Paste the CSR, select your Certificate Template, and click Submit >.
9. Select Base 64 encoded and click Download certificate chain.
10. Launch your newly created chain file and browse to Certificates.
11. Right-click your certificate, select All Tasks > Export, and once the Certificate Export Wizard launches, click Next.
12. Select Base-64 encoded X.509 (.CER) and click Next.
13. Provide a File name and click Next.
14. Review the specified settings and click Finish.
15. Confirm the export was successful and click OK.
16. Repeat steps 10-15 above and export the root certificate also.
17. Combine the certificate chain (nsxmanager.cer and root.cer) via the below command prompt:
copy nsxmanager.cer + root.cer nsxmanagerchain.cer
18. Jump back over to your NSX Manager, browse to Settings > SSL Certificates, and click Import.
20. When requested, reboot your NSX Manager.
In a nutshell, applying an SSL cert the NSX Manager appliance couldn’t be easier and, as this is a security device, it isn’t a bad idea to fully secure it.