NSX Manager SSL certificate replacement with CA

During my study for the VCIX-NV exam I was writing a post on using the REST API client in Google Chrome when I hit an issue connecting to my NSX Manager via the API call. The error message that I received was below.

Could not get any response
This seems to be like an error connecting to https://nsxmanager.vcloud.local/api/2.0/services/ssoconfig. The response status was 0.
Check out the W3C XMLHttpRequest Level 2 spec for more details about when this happens.

After checking the certificate on NSX Manager, I noticed that the certificate showed localhost rather than the actual hostname for the NSX Manager, which in my case is nsxmanager.vcloud.local
To resolve this I had to implement a new CA signed certificate on the NSX Appliance so I thought I would document the process for anyone that was experiencing similar issues, or just wanted to replace their NSX Mamanger Certificate with a CA certificate.
Step 1. Log into the NSX Manager Web interface and navigate to Manage -> SSL Certificates and select Generate CSR Fill out the appropriate information as shown below.
Step 2. Then select the Download CSR button to save your signing request. The download does not give you a .csr file but instead gives you a file with the type “File.”
Step 3. Open the certificate with Notepad and you should see something similar to:


Step 4. Copy paste the entire contents of that file and go get the certificate signed by your CA. If you have an Internal Microsoft CA, I have provided the steps below. First log into your Microsoft Active Directory Certificate Server Web Server by navigating to http://FQDN_or_IP/certsrv I used local host as I was on the Active Directory CA server. Click on Request a certificate
Step 5. Select advanced certificate request
Step 6. Paste the contents from your NSX Certificate Signing Request (CSR), Select your Certificate Template then click Submit
Step 7. Select Base 64 encoded and Download certificate chain
Step 8. Open up the chain file and drill down to Certificates
Step 9. Right Click on the nsxmanager certificate and select All Tasks -> Export
Step 10. Click Next on the Wizard, then select Base-64 encoded X.509 (.CER) and hit Next
Step 11. Provide a File Name (I used nsxmanager.cer) then hit Next then Finish
Step 12. Follow the same steps above to export your root certificate (I named mine root.cer).
Step 13. You should now have an nsxmanager.cer and a root.cer. You will need to combine these two files to a file called chain.cer. You can do that by opening a command prompt, navigating to the directory, and running the following command.

copy nsxmanager.cer+root.cer chain.cer

Step 14. Once you have the chain.cer log back into the NSX Manager Web Interface and select Import and provide your chain.cer file. You should now see your new certificate and root certificate as show below.
Step 15. In order for my certificate to show up properly, I had to reboot NSX Manager. Once that was complete, I could see the trusted certificate.
Phew! Now I can get back to NSX REST API calls and studying for my VCIX-NV exam next week. If you haven’t already been following the progress, I have a lot of good information up for studying here. Let me know if you have any questions or run into any problems that I may be able to help you out with during your NSX Manager certificate replacement!

Posted by:

Sean Whitney


  1. Rob Irwin -  April 13, 2016 - 2:51 am 453

    Useful article, Two questions.

    1: What are the details of the certificate template ‘VMWare’ you used on your certsrv?

    2: Can the intermediary authority on my external PSC be used instead?

  2. Vyas -  May 18, 2018 - 6:59 am 645

    Hi, I followed same steps but NSX throws below error to me :
    “Invalid certificate chain specified. Please specify valid PEM encoded certificate chain.” Any idea how to fix this ?


Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top