VMware – VMworld 2016 – INF8631 – VMware Certificate Management for Mere Mortals

Disclaimer: I recently attended VMworld 2016 – US.  My flights were paid for by myself, VMware provided me with a free pass to the conference and various bits of swag, and Tech Field Day picked up my hotel costs. There is no requirement for me to blog about any of the content presented and I am not compensated in any way for my time at the event.  Some materials presented were discussed under NDA and don’t form part of my blog posts, but could influence future discussions.

vmworld-2016-hero-US_950

Here are my notes on “INF8631 – VMware Certificate Management for Mere Mortals” presented by Adam Eckerle and Ryan Johnson. I didn’t get as many notes as I would have liked as I had some battery issues with my laptop. Things are a little different with certificate management in vSphere 6 so I was happy to be able to get along to this session.

INF8631
Certificate replacement options for vCenter

VMCA Default

  • VMCA provides the Root certificate
  • All vSphere certificates chain to VMCA
  • Regenerate certificates on demand easily

VMCA Enterprise

  • Replace VMCA CA certificate with a subordinate CA certificate from the Enterprise PKI
  • Upon removal of the old VMCA CA certificate, all old certificates will be regenerated

Custom

  • Disable VMCA as CA
  • Provision your own custom certificates for each solution user and endpoint
  • More complicated. For highly security conscious customers only

Hybrid (Recommended)

  • Replacement of the Machine_SSL certificates
  • VMCA for Hosts and Solution Users
  • Very popular with high security customers

Appliance Deployment

/usr/lib/vmware-vmca/bin
./certificate-manager

Windows Deployment

<Drive>:\Program Files\VMware\vCenter Server\vmcad\certficate-manager

VMware KB 2108294 – download trusted root CA certificates
VMCA as Enterprise CA Subordinate

Creating certificates for other things from VMCA is NOT supported and not recommended
Hybrid Approach Concepts

  • Security – Custom certificates for the Web Client
  • Operations – VMCA for everything else (User Solutions, ESX hosts)

And that’s all I got … but here are some links that may be useful.