Skip to content
Hypervisors
NSX

NSX

How to replace NSX API certificate with Microsoft CA Signed Cert:

Step 1 — Generate CSR on Newport NSX Global Manager

  • System: <NSXclustermanager.domain>
  • Navigate to: System > Certificates > CSR
  • Action: Create a new certificate signing request with the following attributes:
  • Common Name: MGMT_CLUSTER <NSXclustermanager.domain>
  • Name: <NSXclustermanager.domain>
  • Organisation Unit:
  • Organisation Name:
  • Locality:
  • State:
  • Country/Region: GB
  • Algorithm: RSA
  • Key Size: 4096
  • Description: MGMT_CLUSTER REST API Certificate
  • Service option: Unselected
  • Subject Alternative Names — DNS:
    • <NSXclustermanager.domain>
    • Add all hostnames of manager and NSX nodes
  • Subject Alternative Names — IP:
    • Add all IPs of the manager VIP and the nodes
  • Export the generated CSR file (nsx.csr.pem)

Step 2 — Create new certificate template on the CA server

  • Action: Open the Certificate Authority MMC and create a new template by duplicating the Web Server template
  • Template name: NSX REST API Template
  • Settings:
    • Compatibility: Windows Server 2008 R2 / Windows 7 & Server 2008 R2
    • Extensions — Basic Constraints: Enabled
    • Validity Period: 5 years
    • Signature hash algorithm: SHA256

Step 3 — Issue the certificate template on the CA

  • Action: Add the NSX REST API Template to the list of certificate templates available for issuance on the CA

Step 4 — Configure CA permissions and submit the certificate request

  • Action: Confirm that the CA template grants the requesting user Enroll permission
  • Run the following command on the CA server to submit the CSR and retrieve the signed certificate:
certreq -submit -attrib "CertificateTemplate:NSXRESTAPITemplate" "nsx.csr.pem" "nsxapi.cer"
  • Output: nsxapi.cer (signed certificate)

Step 5 — Export CA certificates

  • Action: Export the root CA certificate and any intermediate CA certificates in PEM format from the CA server

Step 6 — Assemble the full certificate chain

  • Action: Combine the certificates into a single full chain PEM file in the following order:
    1. NSX signed certificate (nsxapi.cer converted to PEM)
    2. Intermediate CA certificate (if applicable)
    3. Root CA certificate

Step 7 — Import root CA certificate into Newport NSX

  • System: <NSXclustermanager.domain>
  • Navigate to: System > Certificates
  • Action: Import the root CA certificate using the “Import Root CA” option

Step 8 — Import signed certificate into Newport NSX

  • Navigate to: System > Certificates > CSR tab
  • Action: On the CSR created in Step 1, select the option to import the signed certificate
  • Upload: The full chain PEM file created in Step 6
  • Service option: Unticked

Step 9 — Apply the certificate to the REST VIP service

  • Service: REST VIP (MGMT_CLUSTER)
  • Action: Assign the imported signed certificate to the REST VIP API service
  • Confirm: Verify API services restart and recover on all nodes
VMware