3 Replies Latest reply on Aug 1, 2020 12:10 PM by Raudi

    VMCA as a subordinate Certificate Authority

    Kesego Lurker

      Which certificates should be procured to enable a secure connection between a vCenter Server and local machines in an organization that already has a CA?

        • 2. Re: VMCA as a subordinate Certificate Authority
          dvandelaar Novice

          Hi,

          Depends on what you want to do and the security level you want to be on. I believe that nowadays the most common use for vSphere, VMCA and Certificates is Hybrid Mode. This is a highly secure solution and pretty easy to implement. It basicly means that on the ' outside'  there are certificates signed by your company's CA. Normally this would be the FQDN('s) of your vCenter and if applicable the PSC('s). On the inside VMCA does it's thing and takes care of the hosts and all other certificates.

           

          The above supersedes the ' VMCA as Subordinate'  method when it comes to security, also it doesn't require you to mess with the vmca root certificate.

           

          So I would recommend the Hybrid approach and just replace certificates of your vcenter and psc's outside fqdn's.

           

          There is some nice information on how this works and how to do this (walk-trough)

          https://blogs.vmware.com/vsphere/2017/01/walkthrough-hybrid-ssl-certificate-replacement.html

          https://featurewalkthrough.vmware.com/t/vsphere-6-5/ssl-certificate-replacement-hybrid-mode/1

           

          Hope this helps or gets you in the right direction !

          Kind regards

          • 3. Re: VMCA as a subordinate Certificate Authority
            Raudi Hot Shot

            Hello,

             

            in my view the hybrid config makes no sense, because the VMCA root certificate must be instlled to the admin station too, for example to upload files to the datastore (hosts CA must be trusted). And if so, why should i replace the machine certificate? With installing the root certificate i have no error in my browser. The only reason can be to use a alternate name for hostname (without fqdn) and ip address, but starting with vSphere 7 this isn't working anymore, i can only use the FQDN to access the client.

             

            So use the VMware default certificates, publish this root certificates to the admin clients manually or with a GPO or install the VMCA as a sub CA.

             

            The following steps i have noticed to create a sub CA:

             

            In the VCSA shell start this tool: /usr/lib/vmware-vmca/bin/certificate-manager

             

            - Select option 2.

            - Answer all questions, the information will be used to generate the certificate request for the SubCA and later a new machine certificate.

            - Select option 1 to generate the certificate request.

            - Use the file to request a certificate in your CA, how to create a template in a Microsoft CA is described here: https://kb.vmware.com/s/article/2112009

            - Store the certificate on the VCSA and add the CA certificate to the file.

            - If the Certificate Manager is still open continue with the option "1" and enter the full path to the certificate files.

            - If the Certifikats Manager isn't started, start it again select again the option "2" and answer the question to modify the certool.cfg with "N". Then select option "2" to install the certificate.

             

            All services will now e restarted.

             

            Then renew the certificates of the hosts, it is possible that the parameter "vpxd.certmgmt.certs.minutesBefore" in the vCenter config must be set from 1440 to 10.

             

            For rewnewing the certificates of a host, the host must not be in maintenance mode...

             

            Stefan