VMware NSX ALB / AVI Certificate Signing Request (CSR) with Microsoft CA

Reading Time 2 Minutes

Since I was dealing with VMware NSX Advanced Load Balancer (or NSX ALB aka AVI Loadbalancer, take your pick!) in connection with vSphere with Tanzu in our ITQ Lab environment, I also wanted to make it trustworthy with an “official” certificate and replace the “Self Signed Certificate”.

In the Lab environment, a Windows Certificate Authority (CA) and the CA Web Enrollment already exist on a Windows 2019 VM. I will not go into detail about the installation of the CA; here I followed an article on the VirtuallyThere Blog.

In addition, I have created a Certificate Template according to VMware specifications. In the future, I would like to use this for all VMware product deployments in the lab. I have written another blog article about this (Creating a Microsoft CA Template for vSphere 6.x/7.x), or if you want to read it directly from VMware, here is the KB article: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x

Certificate Signing Request

First, a certificate signing request must be created on the AVI controller. To do this, go to Templates >> Security >> SSL/TLS Certificates, select Create >> Controller Certificate and create a new certificate of the type “CSR“.

Create a new Controller Certificate
Create a new Controller Certificate
New Certificate Type CSR

When creating the request, make sure that all access addresses are included in the Subject Alternate Names (SANs). In my first attempt, I forgot the cluster IP and had to confirm the browser’s security query for this one address; the rest were excluded meaning they worked fine. Unfortunately, you then have to go through the CSR process again.

Adding Subject Alternate Names (SAN)

Quick hint:
How do I come up with 4 entries for the SANs?

  • one Node IP
  • a corresponding DNS entry
  • one Cluster IP (for future use, should I ever want to use more than one node)
  • a corresponding DNS entry for the Cluster IP
Cluster IP Adressen

After creating the CSR, it looks like this in AVI:

Awaiting Certificate

Right click on the pencil and copy the CSR to the clipboard:

Copy CSR to Clipboard

Creating the certificate

Continue in the web interface of the Windows CA (accessible via https://<your-ca>/certsrv)

Here, navigate via Request a certificate >> advanced certificate request and paste the previously copied CSR.

In addition, I use my self-created Certificate Template “VMware” here.

The certificate can then be downloaded in Base 64 format:

Download certificate in Base 64
The new certificate in Windows Explorer

Using the Certificate in NSX ALB / AVI

Back in the AVI web interface, import the certificates file:

Import the new Certificate File

Et viola, the status of the certificate is Green and it is obviously not Self Signed:

New certificate looks fine

Change NSX ALB / AVI to the new certificate

Now edit the System Access Settings (Administration >> Settings >> Access Settings) and we are done 🙂

Remove both default certificates…

System Default Certificates out

…and add the new, own certificate granted by the Windows CA:

New CA signed Certificate in

A check of the four addresses in the web browser (IP and DNS) is successful:

Successful verification with Browser

A small hint regarding Firefox:
Since we do not use any group policies in our lab that include Firefox, a setting is still necessary so that Firefox relies on the Windows CA (copy/paste from the Mozilla Webseite):

  1. Enter “about:config” in the address bar and continue to the list of preferences.
  2. Set the preference “security.enterprise_roots.enabled” to true.
  3. Restart Firefox.