VCP 6 Study Note – Security Certificate

vSphere components use SSL to communicate securely with each other and with ESXi and is also used by vCenter services such as the vSphere Web Client for initial authentication to vCenter Single Sign-On.

In vSphere >= 6.0, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default.


Certificate replacement approaches:

  • Using PSC controller web interface (vSphere >= 6.0u1 )
  • Using vSphere Certificte manager utility
  • Using CLI commands (certool, vecs-cli, dir-cli, service-control)


No VMware Certificate replacement:

  • VMCA handle all certificate management
  • VMCA provisions vCenter Server components and ESXi hosts with certificates that use VMCA as the root certificate authority
  • during upgrade to >= 6.0 all self-signed certificates are replaced with certificates that are signed by VMCA

Replace VMware certificates with custom certificate:

  • Replace the VMCA root certificate with a CA-signed certificate
    • VMCA certificate is an intermediate certificate of this third-party CA
    • VMCA provisions vCenter Server components and ESXi hosts with certificates that include the full certificate chain
  • explicitly replace certificates
    • use the vSphere Certificate Manager utility or perform manual certificate replacement using the certificate management CLIs

When upgrading an environment that uses custom certificates, you can retain some of the certificates:

  • ESXi hosts keep their custom certificates during upgrade
    • vCenter Server upgrade process adds all the relevant root certificate to the TRUSTED_ROOTS store in VECS on the vCenter Server
    • After the vCenter Server upgrade, administrators can set the certificate mode to Custom
    • If certificate mode is VMCA, the default, and the user performs a certificate refresh from the vSphere Web Client, the VMCA-signed certificates replace the custom certificates
  • For vCenter Server components:
    • If you upgrade a simple installation to an embedded deployment, vCenter Server custom certificates are retained
    • upgrade a multi-site deployment where vCenter Single Sign-On is on a different machine than other vCenter Server components, the upgrade process creates a multi-node deployment that includes a Platform Services Controller node and one or more management nodes
      • existing vCenter Server and vCenter Single Sign-On certificates are retained and used as machine SSL certificates
      • VMCA assigns a VMCA-signed certificate to each solution user

Supported vCenter Certificates:

  • VMCA generated certificates
  • Custom certificates
    • enterprise certs generated by internal PKI
    • 3rd-party CA-singed certificates generated by external PKI like Verisign, GoDaddy,…


Certificate replacement

Several options:

  • Replace with VMCA signed
    • use the certificate management CLIs to perform that process
    • VMCA root certificate expires after ten years, and all certificates that VMCA signs expire when the root certificate expires, that is, after a maximum of ten years
  • Certificates Signed by VMCA Are Stored in VECS
  • Make VMCA an Intermediate CA (VMCA root certificate and certificate signed by enterprise CA or 3rd-party)
  • 3rd-party or Enterprise CA with VMCA Intermediate CA
  • Custom certificates (don’t use VMCA)
  • External CA stored in VECS
  • Hybrid Deployemnet (eg: VMCA for SSO and custom certificate for machine SSL traffic)
    • VMCA supply some of the certificates
    • use custom certificates for other parts of your infrastructure
  • ESXi certificate replacement
    • VMware Certificate authority mode: default, VMCA issue certificates for the hosts
    • Custom certificate auth mode: manually update and use certificates that are not signed or issued by VMCA
    • Thumbprint mode: Can be used to retain 5.5 certificates during refresh. Use this mode only temporarily in debugging situations


Certificate location

  • ESXi certs:
    • Provisioned by VMCA (default)
    • Stored Locally on ESXi host (/etc/vmware/ssl directory )
  • Machine SSL certs (The certificate is used for server verification and for secure communication such as HTTPS or LDAPS):
    • Provisioned by VMCA (default)
    • Stored in VECS
    • Used by:
      • reverse proxy service on each Platform Services Controller node
      • vCenter service (vpxd) on management nodes and embedded nodes
      • VMware Directory Service (vmdir) on infrastructure nodes and embedded nodes
  • Solution user certs
    • Provisioned by VMCA (default)
    • Stored in VECS
    • The following solution user certificate stores are included in VECS on each management node and each embedded deployment:
      • machine: Used by component manager, license server, and the logging service
      • vpxd: vCenter service daemon (vpxd) store on management nodes and embedded deployments
      • vpxd-extensions: vCenter extensions store
      • vsphere-webclient: vSphere Web Client store
  • vCenter SSO signing cert
    • Provisioned during installation
    • Manage only from vSphere client (don’t change in filesystem )
  • VMware Directory Service (vmdir) SSL cert
    • Provisioned during installation
    • In certain corner cases, you might have to replace this certificate

Custom certificate Requirements

  • Key size: 2048 bits or more (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8
  • x509 v3
  • Root certs:
    • CA extension must be set to true
    • cert sign must be in the list of requirements
  • SubjectAltName must contain DNS Name=<machine_FQDN>
  • CRT Format
  • Contains the following Key Usages: Digital Signature, Non Repudiation, Key Encipherment

VECS (VMware Endpoint Certificate Store)

VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. VECS runs as part of the VMware Authentication Framework Daemon (VMAFD).

Stores in VECS:

  • Machine SSL store (MACHINE_SSL_CERT)
  • Trusted root store (TRUSTED_ROOTS)
  • Solution user stores
    • machine
    • vpxd
    • vpxd-extensions
    • vsphere-webclient
  • vSphere Certificate Manager Utility backup store (BACKUP_STORE)
  • Other stores


Managing Certificate

  • PSC
    • view and manage certificates by logging in to the Platform Services Controller web interface
    • can perform these tasks:
      • View the current certificate stores and add and remove certificate store entries
      • view VMCA associated with PSC
      • view certs generated by VMCA
      • renew existing certificate
  • vSphere cert manager utility
    • The vSphere Certificate Manager utility allows you to perform most certificate management tasks interactively from the command line
    • Windows: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
    • Linux: /usr/lib/vmware-vmca/bin/certificate-manager
  • Manual replacement
    • For certain parts of manual certificate replacement, you must stop all services and then start only the services that manage the certificate infrastructure
    • Replace Existing VMCA-Signed Certificates With New VMCA-Signed Certificates
      • generate new root certificate (with certool cli)
      • replace machine ssl certs with VMCA-Signed certs
      • replace solution user certs with new VMCA-Signed certs
      • Replace vmdir certs in mixed mode environments
    • Use VMCA as an Intermediate Certificate Authority
      • replace Root Certs (intermediate CA)
      • replace machine ssl certs (intermediate CA)
      • replace solution user certs (intermediate CA)
      • replace vmdir service certs
      • Replace vmdir certs in mixed mode environments
    • Use Third-Party Certificates With vSphere
      • request certificate and import root CA
      • replace machine SSL certs with custom certs
      • replace solution user certs with custom certs
      • replace vmdir service certificate
      • Replace vmdir certs in mixed mode environments
  • CLI commands
    • allows you to manage VMCA ( VMware Certificate Authority), VECS (VMware Endpoint Certificate Store), and VMware Directory Service (vmdir)
    • certool –> generate and manage certs and keys (part of VMCA)
    • vecs-cli –> manage the contest of VECS (part of VMAFD)
    • dir-cli –> create and update certs in vmdir (part of VMAFD)
    • service-control –> start-stop services (part in certificate replacement)
    • Locations:
      • Windwos –> C:\Program Files\VMware\vCenter Server\vmafdd\
      • Linux –> usr/lib/vmware-vmafd/bin/
   Send article as PDF