Disclaimer: I recently attended VMworld 2016 – US. My flights were paid for by myself, VMware provided me with a free pass to the conference and various bits of swag, and Tech Field Day picked up my hotel costs. There is no requirement for me to blog about any of the content presented and I am not compensated in any way for my time at the event. Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.
Here are my notes on “INF8631 – VMware Certificate Management for Mere Mortals” presented by Adam Eckerle and Ryan Johnson. I didn’t get as many notes as I would have liked as I had some battery issues with my laptop. Things are a little different with certificate management in vSphere 6 so I was happy to be able to get along to this session.
- VMCA provides the Root certificate
- All vSphere certificates chain to VMCA
- Regenerate certificates on demand easily
- Replace VMCA CA certificate with a subordinate CA certificate from the Enterprise PKI
- Upon removal of the old VMCA CA certificate, all old certificates will be regenerated
- Disable VMCA as CA
- Provision your own custom certificates for each solution user and endpoint
- More complicated. For highly security conscious customers only
- Replacement of the Machine_SSL certificates
- VMCA for Hosts and Solution Users
- Very popular with high security customers
<Drive>:\Program Files\VMware\vCenter Server\vmcad\certficate-manager
VMware KB 2108294 – download trusted root CA certificates
VMCA as Enterprise CA Subordinate
Creating certificates for other things from VMCA is NOT supported and not recommended
Hybrid Approach Concepts
- Security – Custom certificates for the Web Client
- Operations – VMCA for everything else (User Solutions, ESX hosts)
And that’s all I got … but here are some links that may be useful.