Contact us

Search our website

Knowledge article

NSX-T Certificate CSR creation

Back to the knowledge hub

A while ago I had to replace the SSL-certificates on my NSX-T Manager Cluster. Not a big deal, right? Well, turns out to get it exactly right, you have to do some manual stuff that I wasn’t expecting.

The literature

There are quite(1) a few(2) blogs(3) on the subject(4), thankfully, but for some reason I just couldn’t get it to work. The error message I kept getting when trying to upload the certificate with the API is the following:

"Certificate is not compliant as certificate of type SERVER: Extended key usage field not present in the certificate."

Which is not something I had found on the previously mentioned blogs.

And the message is very strange since I’ve been using the built-in CSR creator from the NSX-T manager itself, so I would expect that this would create every field it needs in order to work. And the template seemed fine as well…

The solution

I found a post unrelated to NSX about the creation of the x509v3 Extension fields on the Red Hat Customer Portal.

Together with the blog by Gareth Lewis I was able to figure out what the process to manually create a CSR for NSX looks like, since the built-in creator also doesn’t work. In the [req_ext] field we need to add the extendedKeyUsage = serverAuth field. Like so:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
    
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = ZH
localityName = Rotterdam
organizationName = SigBit
organizationalUnitName = blog
commonName = robertlabnsxt.robertlab.local
    
[ req_ext ]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
[alt_names]
DNS.1 = robertlabnsxt.robertlab.local
DNS.2 = robertlabnsxt01.robertlab.local
DNS.3 = robertlabnsxt02.robertlab.local
DNS.4 = robertlabnsxt03.robertlab.local
IP.1 = 192.168.144.70
IP.2 = 192.168.144.71
IP.3 = 192.168.144.72
IP.4 = 192.168.144.73

With this config file I was able to successfully create a CSR that passed the validation step.

Hope this helps someone out that encountered the same issue!

The original article was posted on: significant-bit.com

Robert Cranendonk

Virtualization Consultant

Published: 27 September 2023

Related articles

Visit our knowledge hub
Visit our knowledge hub
Robert Cranendonk Virtualization Consultant

Let's talk!

Knowledge is key for our existence. This knowledge we use for disruptive innovation and changing organizations. Are you ready for change?

"*" indicates required fields

First name*
Last name*
Hidden