We are currently redesigning our internal vCenter servers, and we would therefor also be installing certificates on the vCenter, in order to bypass the browser certificate warning.
Over the past few years, we have had massive issues with using our own certificates, issued by our internal CA. Some have been due to human errors, but we have also been facing several bugs along the way, that have been fixed later on with an hotfix from VMware.
Our environment have several "external products" connecting (Veeam, SCOM, etc), that relies heavily on the certificate presented.
Im therefor considering rolling out the vCenters own CA, to our clients / servers, that manages and connects to VMware - hoping that we would see less certificate issues in the future.
So what is the best practice, and what option would you recommend using (VMware built-in CA vs our own CA), based on your knowledge?
Thanks in advance 🙂
VMware certs are quite secure with sha256 and 2048 bits . With VMCA certs in use ; u can use https://kb.vmware.com/s/article/2108294 to avoid that warning.
If only this warning is concerning ; then just replace machine ssl certs with custom CA https://kb.vmware.com/s/article/2112277
Thanks for the message.
Im aware that both options are usable, but i wanted to know from real life scenarioes, what the best option is.
But it sounds like using our Windows CA infrastructure, is the best way to go from here.
Hi, it is difficult to say what's the best option...
If you use custom certificates with your CA as root CA, they will be trusted within your environment. You may need to re-establish trust between your vSphere/vRealize products, and you will no more receive SSL warnings in your browser.
Also, some companies demand that all self-signed certificates need to be replaced for extended security. I would recommend you to use custom certificates instead of self-signed.