vSphere 7 – Part 2: Certificate Management

For kicks, … Bear in mind, the VMware Certificate Authority, VMCA, is not a fully featured certificate authority. It’s a just enough certificate authority to do what you needed to do: which is to sign certificates for the rest of the environment. No more…. Like it’s not going to issue web server certificates for other enterprise things.

Certificate Management Modes

With vSphere 7, there are 4 main Certificate Management Modes:

Fully Automated and Hybrid modes are the recommended modes, and the best choices 🙂

• With the Fully automated mode, the VMCA does everything there and it issues all the certificates for everything.
• With Hybrid mode, the “machine certificate” is replaced in the vSphere Client, by a 3rd party signed one. That’s the one signed by your enterprise PKI infrastructure, it’s automatically trusted by everyone.

The Subordinate CA and Fully Custom are the less recommended modes:

• With Subordinate CA, the enterprise PKI infrastructure would issue a signing certificate, a CA certificate to the VMCA. Then the VMCA can basically impersonate the organisation. ?? uhm, isn’t that dangerous and risky ???
• With Fully Custom, the VMCA is still there, but you really don’t use it because you manage your own certificates yourself…(and that’s a lot of work!)

Again, I would really not recommend neither of the last 2 modes:

• Subordinate CA holds the key material that can be used to impersonate the organization… And if your vSphere admin team loses that for some reason … well … that’s a responsibility they don’t really need.
• Fully Custom. there’s hundreds of certificates in the cluster and the admin will have to generate a key for each one of them. On the top wild card certificates cannot be used in vSphere. Because we need to manage the identity, we actually care about the hostnames and the service names associated with the certificates. So each one gets their own key, gets their own certificate. Somebody has to manage that, including certificates expiricy dates… To put it another way, that’s just a recipe for human error.

Simplified Certificate Management

vSphere 7: much simpler

New wizard for Certificate Import

In vSphere 7, there is a new UI.

For instance, when you want to replace the machine certificate with a new certificate for Hybrid Mode, you generate a key separately and the certificate. After that you can just import them. Yet, take into account vCenter server will be down for a short time, restarting services.

Certificate API – Manage vCenter Certificates programmatically

More Information & Getting Assistance

• Global Support Services – if there’s a problem please open an SR !
  • Go to My VMware, login and select Get Support.
  • Live queue Local Numbers for Sev.1
    • ://www.vmware.com/support/phone_support.html
    • Luxembourg – English Language Support – Tel: 800 263 77 or 342 080 8187
• Reach your Technical Account Manager, or your Account Team
• Subscribe to the vSphere Blog https://blogs.vmware.com/vsphere/
• Subscribe to the VMware Security Advisory mailing list https://www.vmware.com/security/advisories.html
• Check vSphereCentral (stay tuned, massive updates coming!) https://vspherecentral.vmware.com/

In the meantime, check-out our last articles

• https://mysticmarvin.eu/introducing-2nd-version-vmwarecloud-on-dellemc/
• https://mysticmarvin.eu/vsphere-7-part-1-new-logic-for-vmotion/
• https://mysticmarvin.eu/vsphere-7-whats-new-in-a-nutshell/
• https://mysticmarvin.eu/vsan-best-practices-part-iii/
• https://mysticmarvin.eu/vxrail-7-software-released/