NSX CSM (Cloud Service Manager)

CA Certificate

Posted by Chris Noon on Thu, Feb 3, 2022

I recently worked on a customer project where they replaced the NSX Manager certificate with a company-signed certificate using their own CA. This caused an issue when pairing the CSM with the NSX Manager, i.e. certificate error.

This short blog post will run through the steps ran through to allow the CSM to peer with the NSX Manager. I understand this post won’t receive a lot of traffic, my hope is it helps someone in the future.

The Procedure

  • SSH to the CSM and login as root.

  • Prepare your root CA cert in perm format and upload it to the CSM.

  • On the CMS, get the JKS password from the following file:

    • PASSWORD=cat /config/http/.http_cert_pw
  • Add the root CA cert to the CSM JKS store using the following command:

    • keytool -importcert -file /root/myCA.pem -noprompt -alias nsx_mgmr_custom -storetype JKS -keystore /usr/java/jre/lib/security/cacerts -storepass $PASSWORD
    • In some cases you may need to manually enter the password instead of using the variable.
  • Check the certificate has been added:

    • keytool -list -v -keystore /usr/java/jre/lib/security/cacerts -storepass $PASSWORD | grep nsx_mgmr_custom

The root CA certificate will now be considered valid and the CSM and NSX Manager can peer.

Final Thoughts

I want to mention, this is not a VMware endorsed procedure. You should verify with GSS that this is a valid approach at the time you need it.

N.B. At the time of writing, I had this confirmed.