VMworld 2015: Certificates for Mere Mortals

Session INF4529

Note: Although not mentioned in this session, I have a SSL toolkit for vSphere 6.0 which makes the replacement process easier. Check out my vSphere 6.0 install guide here for all the details.

Certificate Lifecycle Management

VMCA: VMware certificate authority
VECS: VMware Endpoint Certificate store

VMCA

Dual Operational modes: Root CA and Issuer CA
Root CA: Automated, can issue other certs, all solutions and endpoint certificates are created and trusted to this root cert
Issuer CA: Can replace all default root CA certificate created during installation. Basically subordinate CA to your enterprise CA.

VECS

Repository for certificates and private keys
Mandatory component
Key stores: machine SSL certs, trusted roots, CRLs, solution users, others (e.g. VVOLS).
Managed through veccs-CLI
Does not manage SSO certificates

vSphere 6.0 Certificate Types

ESXi certificates – autogenerated post-install. New modes in 6.0, one of which can use VMCA certs. Can renew in webclient.
Machine SSL certificates – Creates server-side SSL (HTTPS, LDAP, etc.). Each node has its own machine SSL certificate.
Solution User certificates – Machine, vpxd, vpxd-extension, vsphere-webclient. Encapsulates one or more vCenter services.
Single-sign-on: Not stored in VECS. Stored in filesystem. STS certificate. Renew/update via GUI, not filesystem replacement.

Certificate Replacement Options

VMCA as root. Easiest deployment option.
VMCA as Enterprise CA subordinate – VMCA will issue certs on behalf of your enterprise CA
Custom CA – Only use custom certs all around. Not recommended except for Gov’t/Financial.
Hybrid – User facing certs replace, then let VMCA manage solution user and ESXi certs.

VMware vSphere 6.0 Certificate Manager