VMware NSX

VMware NSX Manager SSL certificate – a how-to guide

VMware NSX is hot since the day it was released and I personally couldn’t wait to get my hands on it, in my current project we are using VMware NSX to secure the backend environment. So with deploying VMware NSX and talking about security you can’t walk away saying self signed certificates are fine, can you? So we went to secure the web services.

There are more blog about this I noticed but they all assume you know what certificate template to use and that was, as far as I could find, not documented anywhere. So I thought I include that part as well so that you are set to go and you sure finish with a singed certificate.

Create a certificate template

So the first thing we need to do is create a certificate template, it actually is the same template you would use for VMware vSphere 6 but it would be nice if that was documented somewhere. First I tried the default web service certificate but that one failed and my second try was the vSphere 6 one as I presumed that was how VMware might have designed it.

To create your vSphere 6 certificate follow the next steps:

  • Open the Certificate Authority console – at your CA or intermediate CA.
  • Right click on “Certificate Templates”  and pick “Manage” from the list
  • There is a “web server” certificate template, right click it and pick “Duplicate”
  • Now change the name to “vSphere 6” or perhaps “NSX” if you want to create different templates for each role.
  • Click on the “Extensions” tab
  • Click on “Application policies” and remove “Server Authentication”
  • Click on “Key usage” and select “Edit”
  • Mark the checkbox that says “Signature is proof or Origin (nonrepudiation)”
  • Click on the “Subject name”
  • Make sure the “Supply in request” is selected
  • Click on the “Compatibility” tab
  • Select Windows 2003 for both options.
  • Close the window
  • Again right click on “Certificate template” and select “New” – “Certificate template to issue”
  • Pick the “vSphere 6”

Now you’re all done to get going.

SSL certificate VMware NSX manager appliance

First we logon to the appliance and create a certificate request, follow the next steps to create the certificate request;

  • Logon to the VMware NSX Manager appliance
  • Click on “Manage” in the left menu bar
  • Click on “SSL Certificates”
  • Click on “Generate CSR”

The following pop-up will open, Fill in the blanks I would say. The good thing about doing it from the manager is that the key file is stored with the manager. you can however also create the certificates offline with openssl if you like but this is far more easier.

VMware NSX

So at the end you have a CSR file that you can submit to your internal Certificate authority. By the way the file that you get has the extension .File and not .CSR as you would expect. Of course a .File can also be opened with notepad. Follow the steps to submit the request;

  • Browse to http://CA-FQDN/CertSRV
  • Click on “Request a Certificate”
  • Click on “Advanced certificate request”
  • Paste the content as seen below in the box
  • Select the vSphere 6 certificate template and move on

VMware NSX


  • Select “Base 64 encoded”
  • Click on “Download certificate chain”

VMware NSX

Now comes the interesting part, all things above are things you’ve done zillions of times 🙂 So the certificate chain is download and jumping in your screen to be opened. Open it as we need to extract all certificates in there to complete what we are doing, securing the VMware NSX Manager web services.

VMware NSX

Once you opened them you will see them in a certificate management screen like this, browse down until you see all certificates. Here we have the NSX.CER but also the ROOT.CER and the SUB.CER. We use an offline root CA and work with the intermediate certificate authority. So if you are in a similar scenario you need to be aware of the fact that you need to present the whole chain to get it working.

VMware NSX

Now we need to export all three of them to real files. So right click on each one of them and select “All Tasks” – “Export”.

VMware NSX

Make sure you select Bsase 64 again as you proceed, just remember that with VMware you always (can’t think of when not) need Base 64. So now that we have all files exported we have the NSX manager certificate the root certificate and in our scenario the intermediate certificate. We can’t present them like this to the manger so we need to create a chain.

VMware NSX

Creating a chain is a breeze but hey you need to do it. So open the command prompt and browse to the folder containing all files. Make sure that you have intermediate before root. The command is Copy “NSX certificate”+”root certificate”+”intermediate certificate”+”any extra intermediate certificate” Chain certificate name.

So when you look in the folder afterwards you will see that there is one file added that has the name Chain.cer and if you would open it you would see all other files neatly copied in there below each other. This method is easier than copying manually as you might get an extra space in there and that would break things.

VMware NSX

Like the French would say, La voila.

So now comes the piece de resistance or in normal English the main dish, present this chain.cer to the VMware NSX manager appliance and secure it.

So follow the next steps to import it.

  • Logon to the VMware NSX Manager appliance
  • Click on “Manage” in the left menu bar
  • Click on “SSL Certificates”
  • Click on “Import”
  • Select the “chain.cer”

VMware NSX

If all went well you will see the screen as shown above and the certificate chain is correctly recognised. So As the English say, the proof of the pudding is in the tasting, let’s see how this one tastes and start the manager. As you can see the NSX Manager appliance is secured, job well done.

VMware NSX


Securing a VMware NSX manager appliance is damn easy but I noticed that some of the documentation VMware provided was missing some info. I hope that my article is a guidance for you when you deploy the first time.

10 thought on “VMware NSX Manager SSL certificate – a how-to guide”
  1. Hi , you state that your first try base on a Webserver cerificate template failed. What was the specific issue with that ?

    1. Hi Carlo,

      It was more a trial and error as documentation lacked information on which certificate or which params are needed.
      I tried the webserver (basic one) first as it is a web service but it failed to apply, so I used the vSphere one and that worked.

      Hope this helps

  2. Hi, I followed all steps however getting “Invalid certificate chain specified. Please specify valid PEM encoded certificate chain.” Error, any idea what could lead to this issue ?

    1. Hi,

      That could be a lot of reason but the first one that comes to mind is that you had the order wrong of intermediate and root when copying.
      The other idea would be that you didn’t select Base64 but both are just guesses.
      My blog was written 2 years ago, perhaps things changed in between, working at Citrix now I’m not seeing that much of NSX anymore but those things I would check.

      good luck and let me know outcome (still interested)

  3. Hi Rob, This was due to time difference in the CA’s time and the NSX’s time. When synced NSX’s time with vCenter it worked as expected. Thanks

    1. Hi Saroj,

      It’s been a while since I touched NSX.. I approved your comment as it might help others.
      If you have further question I would recommend reaching out on twitter to e.g. Ronald De jong (Ronald_DJ_PQR)
      he is someone who is current on NSX

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.