By default, vSphere 6.5 uses TLS/SSL certificates that are signed by the VMware Certificate Authority (VMCA). By default, these certificates are not trusted by end-user devices or browsers. It is a security best practice to replace at least user-facing certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA). Certificates for machine-to-machine communication can remain as VMCA signed certificates.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
ROBO-VI-VC-020 |
Replace the vCenter Server machine certificate with a certificate signed by a 3rd party Public Key Infrastructure. |
Infrastructure administrators connect to vCenter Server by way of a Web browser to perform configuration, management and troubleshooting activities. Certificate warnings result with the default certificate. |
Replacing and managing certificates is an operational overhead. |
ROBO-VI-VC-021 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |