VMworld 2015: vSphere 6 Certificates

Session INF4946


  • Why does VMware use PKI?
  • PKI – The good, bad and ugly
  • Chose your deployment to maximize operational security
  • Tech preview demonstration

Shows a slide of many recent companies that were hacked

Certificates are used in vSphere to maintain trust. Used for solution users, encryption and SAML tokens

Using PKI does not guarantee security. Security companies get hacked. Operational security can make PKI fail.

PKI: The Good, Bad and Ugly

The Good: Mature, robust, 30 years old, open, tried and trusted, can be automated and auditable

The Bad: Complex to implement, difficult to manage without automation

The Ugly: Not immune to vulnerabilities, CA compromise shatters PKI

Simplify: The vSphere Platform Services controller

  • VMware CA in PSC generates certs, generates CRLs, manages certificate lifecycle
  • VMware endpoint certificate store – stores certificates and keys, syncs trusted certs, syncs CRLs
  • VMware Directory Service – Stores identity resources, multi-master replication, domain structure, licensing, tagging
  • STS and SSO – Integrated Windows auth, AD integration, SAML tokens

vSphere 6.0 vCenter Certificates – Simplified

  • Root CA – VMCA root CA
  • Solution users – 4 certificates for 13+ services
  • STS signing cert
  • VMDir certificate
  • ESXi certificate

vSphere 6.0 ESXi Certificates

  • ESX auto-generates certificates at installation
  • Certs are stored locally, not in VECS
  • VMCA mode
  • Custom mode – with custom certs
  • Thumbprint mode – not recommended

VMCA Root CA and Machine SSL Certificates

  • Root CA – Validity 10 years, 2048 bit
  • Machine SSL –
  • Solution user – 10 years
  • ESXi cert – 5 years

Deployment Scenarios

  • VMCA as Root CA – easy and for most customers
  • VMCA as intermediate CA – can introduce some risk, but also easy.
  • Hybrid – very common. User facing certs are trusted, VMCA for solution users
  • No VMCA – Highly secure only (finance), very manual.

Certificate Management Tools

  • Certool – Command line interface
  • Certificate management utility – for Windows and Linux
  • Tech preview for 6.0 U1: PSC UI –
  • Tech preview Platform service SDK – client libraries for remote execution


  • Ability to upload and renew certificates in GUI

PKI: Deep Dive walkthough – Revocation

VMware services do not do revocation checking. You can delete the certs in the VMCA and the entire VMCA itself, though.

Tech Preview – vSphere Certificates and load balancers.

  • In 2016 vSphere will remove load balancer for HA PSCs.
  • Two PSCs per site are recommended

Tech Preview for Lifecycle management

  • PowerCLI for ESX host certificate replacement
  • Platform service SDK- C , Java, python

Project Lightwave

  • Open source VMCA, VECS, VMDirectory
  • On GitHub


Print Friendly, PDF & Email

Related Posts

Notify of
Inline Feedbacks
View all comments