ksl281
Contributor
Contributor

Custom certificate vs VMware issued certificates

Hi,

 

We are currently redesigning our internal vCenter servers, and we would therefor also be installing certificates on the vCenter, in order to bypass the browser certificate warning.

 

Over the past few years, we have had massive issues with using our own certificates, issued by our internal CA. Some have been due to human errors, but we have also been facing several bugs along the way, that have been fixed later on with an hotfix from VMware.

Our environment have several "external products" connecting (Veeam, SCOM, etc), that relies heavily on the certificate presented.

 

Im therefor considering rolling out the vCenters own CA, to our clients / servers, that manages and connects to VMware - hoping that we would see less certificate issues in the future. 

How to download and install vCenter Server root certificates to avoid Web Browser certificate warnin...

 

So what is the best practice, and what option would you recommend using (VMware built-in CA vs our own CA), based on your knowledge?

 

Thanks in advance 🙂 

Labels (2)
0 Kudos
3 Replies
Ajay1988
VMware Employee
VMware Employee

VMware certs are quite secure with sha256 and 2048 bits . With VMCA certs in use ; u can use https://kb.vmware.com/s/article/2108294 to avoid that warning.

If only this warning is concerning ; then just replace machine ssl certs with custom CA https://kb.vmware.com/s/article/2112277

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
ksl281
Contributor
Contributor

Hi,

 

Thanks for the message.

Im aware that both options are usable, but i wanted to know from real life scenarioes, what the best option is.

But it sounds like using our Windows CA infrastructure, is the best way to go from here.

0 Kudos
leka85
Contributor
Contributor

Hi, it is difficult to say what's the best option...

If you use custom certificates with your CA as root CA, they will be trusted within your environment. You may need to re-establish trust between your vSphere/vRealize products, and you will no more receive SSL warnings in your browser.

Also, some companies demand that all self-signed certificates need to be replaced for extended security. I would recommend you to use custom certificates instead of self-signed.