A while ago I had to replace the SSL-certificates on my NSX-T Manager Cluster. Not a big deal, right? Well, turns out to get it exactly right, you have to do some manual stuff that I wasn’t expecting.

The literature

There are quite(1) a few(2) blogs(3) on the subject(4), thankfully, but for some reason I just couldn’t get it to work. The error message I kept getting when trying to upload the certificate with the API is the following:

"Certificate is not compliant as certificate of type SERVER: Extended key usage field not present in the certificate."

Which is not something I had found on the previously mentioned blogs.

And the message is very strange since I’ve been using the built-in CSR creator from the NSX-T manager itself, so I would expect that this would create every field it needs in order to work. And the template seemed fine as well…

The solution

I found a post unrelated to NSX about the creation of the x509v3 Extension fields on the Red Hat Customer Portal.

Together with the blog by Gareth Lewis I was able to figure out what the process to manually create a CSR for NSX looks like, since the built-in creator also doesn’t work. In the [req_ext] field we need to add the extendedKeyUsage = serverAuth field. Like so:

[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = NL
stateOrProvinceName = ZH
localityName = Rotterdam
organizationName = SigBit
organizationalUnitName = blog
commonName = robertlabnsxt.robertlab.local
[ req_ext ]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
DNS.1 = robertlabnsxt.robertlab.local
DNS.2 = robertlabnsxt01.robertlab.local
DNS.3 = robertlabnsxt02.robertlab.local
DNS.4 = robertlabnsxt03.robertlab.local
IP.1 =
IP.2 =
IP.3 =
IP.4 =

With this config file I was able to successfully create a CSR that passed the validation step.

Hope this helps someone out that encountered the same issue!

The original article was posted on: significant-bit.com

Robert Cranendonk Virtualization Consultant

Let's talk!

Knowledge is key for our existence. This knowledge we use for disruptive innovation and changing organizations. Are you ready for change?

"*" indicates required fields

First name*
Last name*