Posted in vCenter

vSphere 7 – Certificate Management

   20 April 2021

With vSphere 7 the management of certificates became much easier. For starters the solution certificates are deprecated, being replaced under the hood with a less complex but equally secure method of connecting other products like vRealize Operations, vRealize Log Insight, etc.

Furthermore, there are now REST APIs for handling vCenter Server certificates. VMware Certificate Authority (VMCA) is part of vCenter Server 7 to manage the cluster certificates which are also more simplified. The VMCA is “just enough certificate authority” to manage the vSphere cluster’s cryptographic needs

NOTE: Please do not confuse VMCA with a general-purpose certificate authority (CA). You cannot ask VMCA to certify anything else like for example company’s website

Screen shot of vSphere 7 API Explorer and the Certificate REST APIs

In vSphere 7 there are four main ways to manage certificates:

  1. Fully Managed Mode
  2. Hybrid Mode
  3. Subordinate CA Mode
  4. Full Custom Mode

Fully Managed Mode

When vCenter is provisioned VMCA (VMware Certificate Authority) is initialized with a new root CA certificate to protect communication between ESXi hosts, and between ESXi hosts and vCenter Server. It is called “Machine Certificate” We can download the VMCA root CA certificate from the main vCenter Server web page and import it into our PCs in order to establish trust. If needed we can regenerate the VMCA root certificate and instead of default values we can supply our own.

Hybrid Mode

We can replace the certificate that the vSphere Client uses so that it is accepted by default by client browsers. This is a better solution than asking every single user to import the VMCA root CA certificate. his is the best of both worlds – deep automation for the security inside the infrastructure and minimal management effort for vSphere Client users. However, vSphere Admins will still want to import the VMCA root CA certificate in order to establish trust with the ESXi hosts, whose management interfaces will have certificates signed by the VMCA.

NOTE: that in both hybrid mode and the default, fully managed mode neither the ESXi hosts nor the vSphere Client have self-signed certificates, which is a common misconception.

Screen shot of vCenter Server Download Trusted Root CA Certificates

Subordinate CA Mode

VMCA can delegated authority from a corporate CA, it can operate as a subordinate CA. This allows vCenter Server to continue automating the certificate management, just like in the fully managed mode, except the certificates it generates are trusted as part of the organization.

Full Custom Mode

This is the mode where VMCA is not used. The administrator needs to install and manage all the certificates present in a vSphere cluster.

Please leave the comment