Session INF4946
Today
- Why does VMware use PKI?
- PKI – The good, bad and ugly
- Chose your deployment to maximize operational security
- Tech preview demonstration
Shows a slide of many recent companies that were hacked
Certificates are used in vSphere to maintain trust. Used for solution users, encryption and SAML tokens
Using PKI does not guarantee security. Security companies get hacked. Operational security can make PKI fail.
PKI: The Good, Bad and Ugly
The Good: Mature, robust, 30 years old, open, tried and trusted, can be automated and auditable
The Bad: Complex to implement, difficult to manage without automation
The Ugly: Not immune to vulnerabilities, CA compromise shatters PKI
Simplify: The vSphere Platform Services controller
- VMware CA in PSC generates certs, generates CRLs, manages certificate lifecycle
- VMware endpoint certificate store – stores certificates and keys, syncs trusted certs, syncs CRLs
- VMware Directory Service – Stores identity resources, multi-master replication, domain structure, licensing, tagging
- STS and SSO – Integrated Windows auth, AD integration, SAML tokens
vSphere 6.0 vCenter Certificates – Simplified
- Root CA – VMCA root CA
- SSL – MACHINE_SSL
- Solution users – 4 certificates for 13+ services
- STS signing cert
- VMDir certificate
- ESXi certificate
vSphere 6.0 ESXi Certificates
- ESX auto-generates certificates at installation
- Certs are stored locally, not in VECS
- VMCA mode
- Custom mode – with custom certs
- Thumbprint mode – not recommended
VMCA Root CA and Machine SSL Certificates
- Root CA – Validity 10 years, 2048 bit
- Machine SSL –
- Solution user – 10 years
- ESXi cert – 5 years
Deployment Scenarios
- VMCA as Root CA – easy and for most customers
- VMCA as intermediate CA – can introduce some risk, but also easy.
- Hybrid – very common. User facing certs are trusted, VMCA for solution users
- No VMCA – Highly secure only (finance), very manual.
Certificate Management Tools
- Certool – Command line interface
- Certificate management utility – for Windows and Linux
- Tech preview for 6.0 U1: PSC UI –
- Tech preview Platform service SDK – client libraries for remote execution
PSC UI – HTML 5 based (HTTPS://PSC/PSC)
- Ability to upload and renew certificates in GUI
PKI: Deep Dive walkthough – Revocation
VMware services do not do revocation checking. You can delete the certs in the VMCA and the entire VMCA itself, though.
Tech Preview – vSphere Certificates and load balancers.
- In 2016 vSphere will remove load balancer for HA PSCs.
- Two PSCs per site are recommended
Tech Preview for Lifecycle management
- PowerCLI for ESX host certificate replacement
- Platform service SDK- C , Java, python
Project Lightwave
- Open source VMCA, VECS, VMDirectory
- On GitHub
