The VMware Certificate Service is part of the
Platform Services Controller (PSC)
Key Terms:
VMWare Certificate Authority (VMCA) – Certificate authority for vSphere components only. A single point of contact for vSphere Certificate needs. Issues certificates for VMware solution users, machine
certificates for machines on which services are running and ESXi host
certificates. Operates in the PSC. Certificates are managed by the certificate-manager utility.
VMware Endpoint Certificate Store (VECS) –
Serves as a local repository for certificates, private keys and other
certificate information. Runs in vCenter
Server Node.
Types Of Certificates Used by vSphere
- Machine Certificates- For Secure connections. This is what causes the web browser certificate warning if the certificate used is self signed. (ex. vSphere Web Client - vCenter server and external PSC have them)
- Solution user certificates - authentication of services to vCenter SSO. (ex vcenter service (vpxd))
- ESXi certificates – provisioned when the host is added to vCenter. Stored locally on ESXi host.
Certificate Deployment Types:
- VMCA Default – By default, the VMCA uses a self-signed root certificate. The VMCA is then the CA for all VMware components.
- VMCA Enterprise - The VMCA is used as a subordinate/Intermediate CA and is issued a subordinate CA signing certificate. It can now issue certificates that trust up to the enterprise CA’s root certificate. Not accepted by most security groups, since this poses a security risk.
- Custom Certificates – The VMCA is bypassed. Need to issue a enterprise/3rd party cert for every component. Must replace each certificate explicitly. Administrative nightmare!
- Hybrid - The VMCA supplies some of the certificates, but also uses custom certificates for other parts of the VMware infrastructure. As of the time of this writing, this is the RECOMMENDED approach.
In a vast majority of environments, the following hybrid deployment is the best fit.
Trusted Certificates are used for the Machine Certificates of the vCenter server and external PSC. The management interfaces are using a 3rd party/Corporate trusted CA. These are the most important certificates and is the only user-exposed certificates.
VMCA certificates are the used for the Solution user and ESXi certificates.
Added bonus, no more "Not Secure" warnings in your browser!
VMware KB regarding replacing machine certificates:
Fantastic VMWare Walkthrough for SSL cert replacement on your vCenter server and External PSC: