A while ago I had to replace the SSL-certificates on my NSX-T Manager Cluster. Not a big deal, right? Well, turns out to get it exactly right, you have to do some manual stuff that I wasn’t expecting.
There are quite(1) a few(2) blogs(3) on the subject(4), thankfully, but for some reason I just couldn’t get it to work. The error message I kept getting when trying to upload the certificate with the API is the following:
"Certificate is not compliant as certificate of type SERVER: Extended key usage field not present in the certificate."
Which is not something I had found on the previously mentioned blogs.
And the message is very strange since I’ve been using the built-in CSR creator from the NSX-T manager itself, so I would expect that this would create every field it needs in order to work. And the template seemed fine as well…
I found a post unrelated to NSX about the creation of the x509v3 Extension fields on the Red Hat Customer Portal.
Together with the blog by Gareth Lewis I was able to figure out what the process to manually create a CSR for NSX looks like, since the built-in creator also doesn’t work. In the
[req_ext] field we need to add the
extendedKeyUsage = serverAuth field. Like so:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = NL stateOrProvinceName = ZH localityName = Rotterdam organizationName = SigBit organizationalUnitName = blog commonName = robertlabnsxt.robertlab.local [ req_ext ] subjectAltName = @alt_names extendedKeyUsage = serverAuth basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [alt_names] DNS.1 = robertlabnsxt.robertlab.local DNS.2 = robertlabnsxt01.robertlab.local DNS.3 = robertlabnsxt02.robertlab.local DNS.4 = robertlabnsxt03.robertlab.local IP.1 = 192.168.144.70 IP.2 = 192.168.144.71 IP.3 = 192.168.144.72 IP.4 = 192.168.144.73
With this config file I was able to successfully create a CSR that passed the validation step.
Hope this helps someone out that encountered the same issue!
The original article was posted on: significant-bit.com