Certificates are the N° 1 confusing problem! As a result, performing certificate management needed improvement. That’s what comes with vSphere 7: an Improved Certificate Management 🙂
|For kicks, … |
Bear in mind, the VMware Certificate Authority, VMCA, is not a fully featured certificate authority. It’s a just enough certificate authority to do what you needed to do: which is to sign certificates for the rest of the environment. No more…. Like it’s not going to issue web server certificates for other enterprise things.
Now let’s see what’s improved with Certificate Management in vSphere 7.
Certificate Management Modes
With vSphere 7, there are 4 main Certificate Management Modes:
Fully Automated and Hybrid modes are the recommended modes, and the best choices 🙂
- With the Fully automated mode, the VMCA does everything there and it issues all the certificates for everything.
- With Hybrid mode, the “machine certificate” is replaced in the vSphere Client, by a 3rd party signed one. That’s the one signed by your enterprise PKI infrastructure, it’s automatically trusted by everyone.
The Subordinate CA and Fully Custom are the less recommended modes:
- With Subordinate CA, the enterprise PKI infrastructure would issue a signing certificate, a CA certificate to the VMCA. Then the VMCA can basically impersonate the organisation. ?? uhm, isn’t that dangerous and risky ???
- With Fully Custom, the VMCA is still there, but you really don’t use it because you manage your own certificates yourself…(and that’s a lot of work!)
Again, I would really not recommend neither of the last 2 modes:
- Subordinate CA holds the key material that can be used to impersonate the organization… And if your vSphere admin team loses that for some reason … well … that’s a responsibility they don’t really need.
- Fully Custom. there’s hundreds of certificates in the cluster and the admin will have to generate a key for each one of them. On the top wild card certificates cannot be used in vSphere. Because we need to manage the identity, we actually care about the hostnames and the service names associated with the certificates. So each one gets their own key, gets their own certificate. Somebody has to manage that, including certificates expiricy dates… To put it another way, that’s just a recipe for human error.
Most importantly, I’d encourage you to use the automated solution:
fully automated, or the hybrid mode !
Simplified Certificate Management
vSphere 7: much simpler
New wizard for Certificate Import
In vSphere 7, there is a new UI.
For instance, when you want to replace the machine certificate with a new certificate for Hybrid Mode, you generate a key separately and the certificate. After that you can just import them. Yet, take into account vCenter server will be down for a short time, restarting services.
Certificate API – Manage vCenter Certificates programmatically
With vSphere 7, VMware went from like 40% API coverage to like 98% API coverage. It’s all in the API Explorer. Furthermore with Code Capture, anything you can do in the client, you can capture in the HTML5 client. That makes it so easy to create a script, a PowerCLI, a Python script to Automate.
It is HUGE, when it comes to Automation !!
More Information & Getting Assistance
- Global Support Services – if there’s a problem please open an SR !
- Reach your Technical Account Manager, or your Account Team
- Subscribe to the vSphere Blog https://blogs.vmware.com/vsphere/
- Subscribe to the VMware Security Advisory mailing list https://www.vmware.com/security/advisories.html
- Check vSphereCentral (stay tuned, massive updates coming!) https://vspherecentral.vmware.com/