With vSphere 7 the management of certificates became much easier. For starters the solution certificates are deprecated, being replaced under the hood with a less complex but equally secure method of connecting other products like vRealize Operations, vRealize Log Insight, etc.
Furthermore, there are now REST APIs for handling vCenter Server certificates. VMware Certificate Authority (VMCA) is part of vCenter Server 7 to manage the cluster certificates which are also more simplified. The VMCA is “just enough certificate authority” to manage the vSphere cluster’s cryptographic needs
NOTE: Please do not confuse VMCA with a general-purpose certificate authority (CA). You cannot ask VMCA to certify anything else like for example company’s website
In vSphere 7 there are four main ways to manage certificates:
- Fully Managed Mode
- Hybrid Mode
- Subordinate CA Mode
- Full Custom Mode
Fully Managed Mode
When vCenter is provisioned VMCA (VMware Certificate Authority) is initialized with a new root CA certificate to protect communication between ESXi hosts, and between ESXi hosts and vCenter Server. It is called “Machine Certificate” We can download the VMCA root CA certificate from the main vCenter Server web page and import it into our PCs in order to establish trust. If needed we can regenerate the VMCA root certificate and instead of default values we can supply our own.
We can replace the certificate that the vSphere Client uses so that it is accepted by default by client browsers. This is a better solution than asking every single user to import the VMCA root CA certificate. his is the best of both worlds – deep automation for the security inside the infrastructure and minimal management effort for vSphere Client users. However, vSphere Admins will still want to import the VMCA root CA certificate in order to establish trust with the ESXi hosts, whose management interfaces will have certificates signed by the VMCA.
NOTE: that in both hybrid mode and the default, fully managed mode neither the ESXi hosts nor the vSphere Client have self-signed certificates, which is a common misconception.
Subordinate CA Mode
VMCA can delegated authority from a corporate CA, it can operate as a subordinate CA. This allows vCenter Server to continue automating the certificate management, just like in the fully managed mode, except the certificates it generates are trusted as part of the organization.
Full Custom Mode
This is the mode where VMCA is not used. The administrator needs to install and manage all the certificates present in a vSphere cluster.