VMware Networking Community
paul083
Contributor
Contributor
‎11-06-2014 01:24 AM

Certificates for hosts in NSX

Hi

I know that the communication between NSX Controller and ESXi hosts is using certificates. I have the following questions:

1. Do we have the flexibility to use an existing PKI infrastructure for enrolling certs on the hosts.

2. Can we use self signed certs. Do we have to perform any manual steps or does NSX Manager automatically provision the self signed certs on the hosts.

3. What is the default/recommendation by NSX - CA based certs or self signed certs.

Any help will be really helpful.

Thanks

Anirban

0 Kudos
3 Replies
rbenhaim
Enthusiast
Enthusiast
‎11-17-2014 10:07 PM

1. As far as i know external CA is for host preparation and communication between nsx components is not possible today.

2. in version  6.0 you need to turn on the ssl communication with API call. start from 6.1 SSL is on by default.

3. by default this is self sign certificate.

0 Kudos
chunchitng
Enthusiast
Enthusiast
‎11-18-2014 09:59 AM

Communication between nsx and esxi should be based on the cert installed on esxi. Self signed or CA signed. 

The cert on the nsx is communication between your computer and the nsx manager. 

0 Kudos
rbenhaim
Enthusiast
Enthusiast
‎11-18-2014 10:33 AM

there two different SSL communication related to NSX Manager.

Administrator web browser to NSX Manager:

Login to NSX manager with web browser.

this communication by default will work with SSL between the browser and NSX manager.

the certificate is self-sign and could replace with external certificate with external CA.

NSX Manager to ESXi + Controllers:

From NSX design guide 2.1:

"The NSX Manager also ensures security of the control plane communication of the NSX architecture by creating self-signed certificates for the nodes of the controller cluster and for each ESXi hosts that should be allowed to join the NSX domain.

The NSX Manager installs those certificates to the ESXi hosts and the NSX Controller(s) over a secure channel; after that, mutual authentication of NSX entities occurs by verifying the certificates. Once this mutual authentication is completed, control plane communication is encrypted.

Note: in NSX-v software release 6.0, SSL is disabled by default. In order to ensure confidentiality of the control-plane communication, it is recommended to enable SSL via an API call. From 6.1 release the default value is changed and SSL is enabled. "

0 Kudos