For certificates that are issued from the VMCA (talking 6.0/6.5), is there a way to specify the maximum validity period of the certificate that the VMCA hands out? Just wondering if this can be adjusted lower.
Thank you!
If you're making the VMCA a sub-CA, then you should able to specify that in the issuing CA's delegation cert. Otherwise, for just internal issuance, I'm not sure there's a parameter that controls such behavior.
Sure, the parameter is vpxd.certmgmt.certs.daysValid under vCenter Server > Configure > Advanced Settings
Thanks Adam Eckerle and daphnissov !
I did see this for the hosts within vCenter after posting the thread. However, there doesn't seem to be a way to control this for the PSC Machine Cert nor the cert vCenter gets from the VMCA. Once we get down to vCenter... there do seem to be controls for the hosts.
I'm wondering if it's possible to actually do it more so on the PSC Machine certificate and the vCenter cert that it gets from the PSC. I tried today. I got the internal CA cert chain done (which has a validity period of 5 years.. as we do not expect this solution to be around in 5 years) and loaded it into the VMCA. It was successful. During that load, it goes through and issues a Machine cert to that same PSC. The cert was issues for the same validity period as the VMCA cert. And due to regulations, we need the cert validity period to be 3 years or less on all devices. What I didn't want to have happen was the VMCA certs expire at the same time the PSC Machine certs and vCenter certs.
Below is the cert... I know I had to black out the Issued By... but I can validate that it was indeed the VMCA. You can see it chucked it out to the PSC's Machine Cert as 5 years.
It does appear I can force days into the CSR with openssl.
openssl x509 -req -days 1094 -in /certs/psc_ha_vip.csr -out /certs/psc_ha_vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg
So I was able to get the PSC Machine Cert to less than 3 years. But vCenter will be the next hurdle as that will probably end up with a 5 year cert.
I really wish there was a way to just tell VMCA to only issue 3 year certs.