Generating and Registering the NSX Manager Cluster Certificate for Enterprise PKS (NSX-T v2.4)

Page last updated:

Warning: Pivotal Container Service (PKS) v1.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy.
To stay up to date with the latest software and security updates, upgrade to a supported version.

This topic describes how to generate and register the NSX Manager certificate authority (CA) certificate in preparation for installing Enterprise Pivotal Container Service (Enterprise PKS) on vSphere with NSX-T.

Note: These instructions are specific to NSX-T v2.4.


Before you begin this procedure, ensure that you have successfully completed all preceding steps for installing Enterprise PKS on vSphere with NSX-T, including:

About the NSX Manager CA Certificate

The NSX Manager CA certificate is used to authenticate with the NSX Manager. You create an IP-based, self-signed certificate and register it with the NSX Manager. During Enterprise PKS installation on vSphere with NSX-T, you provide this certificate in the NSX Manager CA Cert field in the Networking pane in the Enterprise PKS tile.

See the NSX Manager CA Cert field in the following screenshot:

NSX Manager CA certificate configuration

For configuration information, see the Networking section of Installing Enterprise PKS on vSphere with NSX-T.

By default, the NSX Manager includes a self-signed API certificate with its hostname as the subject and issuer. Ops Manager requires strict certificate validation and expects the subject and issuer of the self-signed certificate to be either the IP address or fully qualified domain name (FQDN) of the NSX Manager. As a result, you need to regenerate the self-signed certificate using the FQDN of the NSX Manager in the subject and issuer field and then register the certificate with the NSX Manager using the NSX API.

The Disable SSL certificate verification option lets you disable validation of the NSX Manager CA certificate. Select this option for testing purposes only.

Note: The NSX Manager CA Cert field and the Disable SSL certificate verification option are intended to be mutually exclusive. If you disable SSL certificate verification, leave the CA certificate field blank. If you enter a certificate in the NSX Manager CA Cert field, do not disable SSL certificate verification. If you populate the certificate field and disable certificate validation, insecure mode takes precedence.

Step 1: Configure the NSX Manager VIP

With NSX-T v2.4 you deploy a management cluster comprising three NSX Managers. As such, you need create a virtual IP address that can be used as a single endpoint to access the NSX Management cluster.

To create a VIP for the NSX Management cluster:

  • Log in to the NSX Manager interface.
  • Go to System > Overview.
  • Select Virtual IP > Edit.
  • Enter a publicly routable IP address, such as
  • Click Save.

At this point in time, you can connect to any NSX-T manager using its own IP address, or use the VIP to connect to NSX-T Manager. Both methods work. However, note that the VIP is associated with a single NSX Manager. To determine which NSX Manager the VIP is associated with, select the Virtual IP.

VIP Association

Step 2: Generate a New NSX Manager CA Certificate and Private Key Using the Cluster API

To generate a new NSX Manager CA certificate and private key using the VIP address, follow the instructions below. Make sure you use the VIP address, such as

Below is an example Certificate Signing Request (CSR) named nsx-cert.cnf. In this example, the IP address is the IP address of the VIP. Substitute this IP address with the VIP you generated.

Note: The Cluster VIP address must be used as the value for the commonName attribute because the certificate will be registered as a Cluster CA cert, not a Node CA cert. In this case the server response certificate will return with the VIP in it. Therefore, the VIP must be the commonName.

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = CA
organizationName = NSX
commonName =
[ req_ext ]
subjectAltName = @alt_names
DNS.1 =

To generate the certificate and private key using the above CSR, run the following commands:

# openssl req -newkey rsa:2048 -x509 -nodes \

> -keyout nsx.key -new -out nsx.crt -subj /CN=$NSX_MANAGER_COMMONNAME \
> -reqexts SAN -extensions SAN -config <(cat ./nsx-cert.cnf \
>  <(printf "[SAN]\nsubjectAltName=DNS:$NSX_MANAGER_COMMONNAME,IP:$NSX_MANAGER_IP_ADDRESS")) -sha256 -days 365

The result is nsx.crt and nsx.key.

Verify the certificate using the command # openssl x509 -in nsx.crt -text -noout.

Import the New Certificate to NSX Manager

Complete the following steps to import the certificate to the NSX Manager:

  1. Log in to the NSX Manager UI.

  2. Navigate to System > Trust > Certificates.

  3. Click Import > Import Certificate.

Import the NSX Manager CA certificate to the NSX Manager

Note: Make sure you select Import Certificate and not Import CA Certificate.

  1. Give the certificate a unique name, such as NSX-API-CERT-NEW.

    Note: Use a unique name for the new certificate you import. The default NSX Manager CA certificate is typically named NSX-API-CERT.

  2. Browse to and select the CA certificate and private key you generated in the previous section of steps.

  3. Click Save.

Import the NSX Manager CA certificate to the NSX Manager

Note: For this use case, the Service Certificate option should be “No” (off) because you are using the certificate with NSX Manager appliance nodes. If you were using this certificate with a load balancer that fronts the NSX Manager nodes, you would enable this option.

Register the Cluster Certificate

Once you have imported the Cluster Certificate, register it with the NSX Management cluster using a cURL command against the Cluster Certificate API.

First, create environment variables for the VIP address and the certificate ID. In this example, is the VIP address. The certificate ID is obtained from the NSX Manager UI where you imported the certificate.


export CERTIFICATE_ID="63bb6646-052c-49df-b603-64d7e5bdb5bf"

Next, register the new NSX-T Manager CA cert using a cURL request to the Cluster Certificate API. Substitute PASSWORD with the password for NSX Manager.

curl --insecure -u admin:'PASSWORD' -X POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/cluster/api-certificate?action=set_cluster_certificate&certificate_id=$CERTIFICATE_ID"

The certificate will be registered with the NSX Manager that the VIP address is associated with.

To verify, using a browser go to the VIP address of the NSX Manager. Login and check that the new cert is used by the site (accessed using the VIP address).

To further verify, SSH to each NSX Manager host and run the following two commands. All certificates returned should be the same.

get certificate cluster

Next Step

Configure BOSH Director with NSX-T for Enterprise PKS.

Please send any feedback you have to