https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939648#M11077 <HTML><HEAD></HEAD><BODY><P>Sure, the parameter is vpxd.certmgmt.certs.daysValid under vCenter Server &gt; Configure &gt; Advanced Settings<span class="lia-inline-image-display-wrapper" image-alt="2018-04-26_15-08-35.png"><img src="https://communities.vmware.com/t5/image/serverpage/image-id/81424i97B6D755CCF72299/image-size/large?v=v2&amp;px=999" role="button" title="2018-04-26_15-08-35.png" alt="2018-04-26_15-08-35.png" /></span></P></BODY></HTML> Thu, 26 Apr 2018 19:10:15 GMT vmEck 2018-04-26T19:10:15Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939646#M11075 <HTML><HEAD></HEAD><BODY><P>For certificates that are issued from the VMCA (talking 6.0/6.5), is there a way to specify the maximum validity period of the certificate that the VMCA hands out? Just wondering if this can be adjusted lower.</P><P></P><P>Thank you!</P></BODY></HTML> Wed, 25 Apr 2018 23:33:39 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939646#M11075 mamoth100 2018-04-25T23:33:39Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939647#M11076 <HTML><HEAD></HEAD><BODY><P>If you're making the VMCA a sub-CA, then you should able to specify that in the issuing CA's delegation cert. Otherwise, for just internal issuance, I'm not sure there's a parameter that controls such behavior.</P></BODY></HTML> Thu, 26 Apr 2018 16:46:47 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939647#M11076 daphnissov 2018-04-26T16:46:47Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939648#M11077 <HTML><HEAD></HEAD><BODY><P>Sure, the parameter is vpxd.certmgmt.certs.daysValid under vCenter Server &gt; Configure &gt; Advanced Settings<span class="lia-inline-image-display-wrapper" image-alt="2018-04-26_15-08-35.png"><img src="https://communities.vmware.com/t5/image/serverpage/image-id/81424i97B6D755CCF72299/image-size/large?v=v2&amp;px=999" role="button" title="2018-04-26_15-08-35.png" alt="2018-04-26_15-08-35.png" /></span></P></BODY></HTML> Thu, 26 Apr 2018 19:10:15 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939648#M11077 vmEck 2018-04-26T19:10:15Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939649#M11078 <HTML><HEAD></HEAD><BODY><P>Thanks <A _jive_internal="true" data-avatarid="10951" data-externalid="" data-online="false" data-presence="null" data-userid="1971993" data-username="vmEck" href="https://communities.vmware.com/people/vmEck" name="&amp;amp;lpos=apps_scodevmw : 111" style="font-weight: bold; font-family: proxima-nova, Arial, sans-serif; color: inherit;">Adam Eckerle</A> and <B>daphnissov</B> !</P><P></P><P>I did see this for the hosts within vCenter after posting the thread. However, there doesn't seem to be a way to control this for the PSC Machine Cert nor the cert vCenter gets from the VMCA. Once we get down to vCenter... there do seem to be controls for the hosts.</P><P></P><P>I'm wondering if it's possible to actually do it more so on the PSC Machine certificate and the vCenter cert that it gets from the PSC. I tried today. I got the internal CA cert chain done (which has a validity period of 5 years.. as we do not expect this solution to be around in 5 years) and loaded it into the VMCA. It was successful. During that load, it goes through and issues a Machine cert to that same PSC. The cert was issues for the same validity period as the VMCA cert. And due to regulations, we need the cert validity period to be 3 years or less on all devices. What I didn't want to have happen was the VMCA certs expire at the same time the PSC Machine certs and vCenter certs.</P><P></P><P>Below is the cert... I know I had to black out the Issued By... but I can validate that it was indeed the VMCA. You can see it chucked it out to the PSC's Machine Cert as 5 years.</P><P></P><P><span class="lia-inline-image-display-wrapper" image-alt="pastedImage_2.png"><img src="https://communities.vmware.com/t5/image/serverpage/image-id/81421iBC8C72CAFCF64FBF/image-size/large?v=v2&amp;px=999" role="button" title="pastedImage_2.png" alt="pastedImage_2.png" /></span></P></BODY></HTML> Fri, 27 Apr 2018 00:39:28 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939649#M11078 mamoth100 2018-04-27T00:39:28Z https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939650#M11079 <HTML><HEAD></HEAD><BODY><P>It does appear I can force days into the CSR with openssl.</P><P></P><P>openssl x509 -req <STRONG>-days 1094</STRONG> -in /certs/psc_ha_vip.csr -out /certs/psc_ha_vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg</P><P></P><P>So I was able to get the PSC Machine Cert to less than 3 years. But vCenter will be the next hurdle as that will probably end up with a 5 year cert.</P><P></P><P>I really wish there was a way to just tell VMCA to only issue 3 year certs.</P></BODY></HTML> Fri, 27 Apr 2018 02:01:27 GMT https://communities.vmware.com/t5/VMware-vSphere-Discussions/Validity-Period-of-VMCA-Certificates/m-p/939650#M11079 mamoth100 2018-04-27T02:01:27Z