Different types of certificates are used for different purposes in your vSphere environment.

SAML Tokens Issued by vCenter Single Sign-On STS Service

STS certificates enable a user who has logged on through vCenter Single Sign-On to use any vCenter Service that vCenter Single Sign-On supports without authenticating to each one. The STS service issues Security Assertion Markup Language (SAML) tokens. These security tokens represent the identity of a user in one of the of the identity source types supported by vCenter Single Sign-On. See How vCenter Single Sign-On Protects Your Environment.

The vCenter Single Sign-On service deploys an Identity Provider which issues SAML Tokens used throughout the vSphere for authentication purposes. A SAML token is a piece of XML that represents the user's identity (user name, first, last name). In addition the SAML token contains group membership information so that the SAML token could be used for authorization operations. When vCenter Single Sign-On issues SAML tokens, it signs each token with the certificate chain so that clients of vCenter Single Sign-On can verify that the SAML token comes from a trusted source.

SSL Certificates

SSL certificates secure communication throughout your vSphere environment. The client verifies the authenticity of the certificate presented during the SSL handshake phase, before encryption. This verification protects against man-in-the-middle attacks.

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information that is sent over Secure Socket Layer (SSL) protocol connections between components.

vSphere components include default certificates. You can replace the default certificates with self-signed or CA-signed certificates. For the vCenter core components, you can use the Certificate Automation Tool.

SSH Keys

SSH keys are used to control access to the ESXi hosts that are using the Secure Shell (SSH) protocol. See Uploading an SSH Key to Your ESXi Host.

Cipher Strength

To encrypt data, the sending component, such as a gateway or redirector, applies cryptographic algorithms, or ciphers, to alter the data before transmitting it. The receiving component uses a key to decrypt the data, returning it to its original form. Several ciphers are in use, and the level of security that each provides is different. One measure of a cipher’s ability to protect data is its cipher strength—the number of bits in the encryption key. The larger the number, the more secure the cipher.

Administrators specify the desired cipher strength when they prepare a certificate request. Company policy might dictate the cipher strength that the administrator chooses.

256-bit AES encryption and 1024-bit RSA for key exchange are the default for the following connections.

  • vSphere Web Client connections to vCenter Server and to ESXi through the management interface.
  • SDK connections to vCenter Server and to ESXi.
  • Connections to the virtual machine virtual machine console.
  • Direct SSH connections to ESXi.