vSphere certificates you can basically stick to the defaults when it comes to provision vCenter server components and ESXi hosts with certificates. The certificates are managed and issued by VMware Certificate Authority (VMCA).
You have another option to use custom certificates stored in the VMware Endpoint Certificate Store (VECS). vCenter Server supports custom certificates generated and signed from your own enterprise public key infrastructure (PKI) such as Microsoft PKI. vCenter Server, however, also supports custom certificates that are generated and signed trusted third-party certificate authorities (CAs), as for example VeriSign or GoDaddy. So quite a lot of options here.
The certificates under vSphere can:
- Authenticate vSphere services
- Signing tokens (SSO for example)
- Encrypt communication between vCenter and ESXi
VMware VMCA runs on VCSA as a service. It provides all the required certificates for vCenter Server and ESXi. They are auto-renewed.
You can replace the VMCA root certificate with a certificate that is signed by an enterprise CA or a third-party CA, in which case VMCA signs the custom root certificate each time it provisions certificates, making VMCA an intermediate CA.
When you replace the default certificates by your own, you are then responsible for the renewal, when it comes.
VMware recommendations for certificate management are basically the following. If you replace certificates by your own, you should replace only the SSL certificate that provides encryption between nodes. VMware does not recommend replacing either solution user certificates or STS certificates.
In fact there are two different scenarios or modes:
Default – VMCA provides all the certificates for vCenter Server and ESXi hosts.
Hybrid – You replace the vCenter Server SSL certificates and allow VMCA to manage certificates for solution users and ESXi hosts. Optionally, for high-security-conscious deployments, you can replace the ESXi host SSL certificates as well.
- The key size is 2048 bits to 16,384 bits.
- VMware supports PKCS8 and PKCS1 (RSA key) PEM formats. When you add keys to VECS, they are converted to PKCS8.
- x509 Version 3 is required.
- SubjectAltName must contain DNS Name=machine_FQDN.
- CRT required.
What’s not supported by VMCA?
- Certificates with wildcards
- The algorithms md2WithRSAEncryption 1.2.840.1135184.108.40.206, md5With-RSAEncryption 1.2.840.1135220.127.116.11, and sha1WithRSAEncryption 1.2.840.113518.104.22.168
- The algorithm RSASSA-PSS with OID 1.2.840.113522.214.171.124
If you use VMCA as an intermediate CA, you can use the vSphere Certificate Manager to create a CSR or you can create a CSR manually.
You can use the vSphere Client to view expiration data for certificates, whether they are signed by VMCA or a third party.
The vCenter Server has alarms for hosts where certificates expire shortly (expire in less than 8 months) and red alarms where certificates are in the Expiration Imminent state (expire in less than 2 months). ESXi hosts that boot from installation media have autogenerated certificates. When a host is added to the vCenter Server system, it is provisioned with a certificate that is signed by VMCA as the root CA.
ESXi certificate – provisioned by VMCA and stored locally on the ESXi host (in /etc/vmware/ssl ). When first connected or when re-connected.
Machine SSL Certificate – is used to create SSL sockets for secure socket layer (SSL) client connections, for server verification, and for secure communication such as HTTPS and LDAPS. Used by the reverse proxy service, the vCenter Server service (vpxd), and the VMware Directory service (vmdir).
Solution user certificate – Used by solution users to authenticate to vCenter Single Sign-On through SAML token exchange.
vCenter Single Sign-On SSL signing certificate – Used for authentication. The SAML token is basically the user’s identity. You can manage this certificate from the command line.
VMware Directory Service (vmdir) SSL certificate – since vSphere 6.5 (I think) the machine SSL certificate is used as the vmdir certificate.
vSphere Virtual Machine Encryption Certificates (important when you want to encrypt your VMs) – Used for virtual machine encryption, which relies on a key management server (KMS), now present in vSphere 7.0 U2.
Find other chapters on the main page of the guide – VCP7-DCV Study Guide – VCP-DCV 2021 Certification,
VMware Direct download/buy links:
More posts from ESX Virtualization:
VMware Education (On Demand Courses)
- VMware Learning Credits – Learning Credits provide the dual benefit of funding a well-trained IT staff, along with discounts options of up to 15 percent. Customers can schedule training when and how they need it. Customers can buy credits at the time of license purchase or as a stand-alone purchase