Note: Although not mentioned in this session, I have a SSL toolkit for vSphere 6.0 which makes the replacement process easier. Check out my vSphere 6.0 install guide here for all the details.
Certificate Lifecycle Management
- VMCA: VMware certificate authority
- VECS: VMware Endpoint Certificate store
- Dual Operational modes: Root CA and Issuer CA
- Root CA: Automated, can issue other certs, all solutions and endpoint certificates are created and trusted to this root cert
- Issuer CA: Can replace all default root CA certificate created during installation. Basically subordinate CA to your enterprise CA.
- Repository for certificates and private keys
- Mandatory component
- Key stores: machine SSL certs, trusted roots, CRLs, solution users, others (e.g. VVOLS).
- Managed through veccs-CLI
- Does not manage SSO certificates
vSphere 6.0 Certificate Types
- ESXi certificates – autogenerated post-install. New modes in 6.0, one of which can use VMCA certs. Can renew in webclient.
- Machine SSL certificates – Creates server-side SSL (HTTPS, LDAP, etc.). Each node has its own machine SSL certificate.
- Solution User certificates – Machine, vpxd, vpxd-extension, vsphere-webclient. Encapsulates one or more vCenter services.
- Single-sign-on: Not stored in VECS. Stored in filesystem. STS certificate. Renew/update via GUI, not filesystem replacement.
Certificate Replacement Options
- VMCA as root. Easiest deployment option.
- VMCA as Enterprise CA subordinate – VMCA will issue certs on behalf of your enterprise CA
- Custom CA – Only use custom certs all around. Not recommended except for Gov’t/Financial.
- Hybrid – User facing certs replace, then let VMCA manage solution user and ESXi certs.
VMware vSphere 6.0 Certificate Manager
- Available on both Windows and VCSA
- Menu driven (GUI in 6.0 U1)
VMCA as Subordinate
- RSA with 2048 bits
- SHA256, 384 or 512
- No wildcards in SubjectAltName
- Cannot create subsidiary CAs of VMCA
- Sync time for all nodes
Session videos, slides and scripts: http://vmware.com/go/inf4529