Certificate requirements depend on whether you use VMCA as an intermediate CA or you use custom certificates. Requirements are also different for machine certificates and for solution user certificates.

Before you begin, ensure that all nodes in your environment are time synchronized.

Requirements for All Imported Certificates

  • Key size: 2048 bits or more (PEM encoded)

  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When you add keys to VECS, they are converted to PKCS8.

  • x509 version 3

  • SubjectAltName must contain DNS Name=machine_FQDN

  • CRT format

  • Contains the following Key Usages: Digital Signature, Non-Repudiation, Key Encipherment.

  • Client Authentication and Server Authentication cannot be present under Enhanced Key Usage.

VMCA does not support the following certificates.

  • Certificates with wildcards

  • The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4, and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended.

  • The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.

Certificate Compliance to RFC 2253

The certificate must be in compliance with RFC 2253.

If you do not generate CSRs using Certificate Manager, ensure that the CSR includes the following fields.

String

X.500 AttributeType

CN

commonName

L

localityName

ST

stateOrProvinceName

O

organizationName

OU

organizationalUnitName

C

countryName

STREET

streetAddress

DC

domainComponent

UID

userid

If you generate CSRs using Certificate Manager, you are prompted for the following information, and Certificate Manager adds the corresponding fields to the CSR file.

  • The password of the administrator@vsphere.local user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.

  • If you are generating a CSR in an environment with an external Platform Services Controller, you are prompted for the host name or IP address of the Platform Services Controller.

  • Information that Certificate Manager stores in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.

    • Password for administrator@vsphere.local.

    • Two-letter country code

    • Company name

    • Organization name

    • Organization unit

    • State

    • Locality

    • IP address (optional)

    • Email

    • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.

    • IP address of Platform Services Controller if you are running the command on a vCenter Server (management) node

Requirements When Using VMCA as an Intermediate CA

When you use VMCA as an intermediate CA, the certificates must meet the following requirements.

Certificate Type

Certificate Requirements

Root certificate

  • You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)

  • If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements.

    • Key size: 2048 bits or more

    • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8

    • x509 version 3

    • If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.

    • CRL signing must be enabled.

    • Enhanced Key Usage must not contain Client Authentication or Server Authentication.

    • No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.

    • Certificates with wildcards or with more than one DNS name are not supported.

    • You cannot create subsidiary CAs of VMCA.

      See VMware Knowledge Base Article 2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0, for an example using Microsoft Certificate Authority.

Machine SSL certificate

You can use vSphere Certificate Manager to create the CSR or create the CSR manually.

If you create the CSR manually, it must meet the requirements listed under Requirements for All Imported Certificates above. You also have to specify the FQDN for the host.

Solution user certificate

You can use vSphere Certificate Manager to create the CSR or create the CSR manually.

Note:

You must use a different value for Name for each solution user. If you generate the certificate manually, this might show up as CN under Subject, depending on the tool you use.

If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.

Requirements for Custom Certificates

When you want to use custom certificates, the certificates must meet the following requirements.

Certificate Type

Certificate Requirements

Machine SSL certificate

The machine SSL certificate on each node must have a separate certificate from your third-party or enterprise CA.

  • You can generate the CSRs using vSphere Certificate Manager or create the CSR manually. The CSR must meet the requirements listed under Requirements for All Imported Certificates above.

  • If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.

  • For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.

Solution user certificate

Each solution user on each node must have a separate certificate from your third-party or enterprise CA.

  • You can generate the CSRs using vSphere Certificate Manager or prepare the CSR yourself. The CSR must meet the requirements listed under Requirements for All Imported Certificates above.

  • If you use vSphere Certificate Manager, The tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.

    Note:

    You must use a different value for Name for each solution user. If you generate the certificate manually, this might show up as CN under Subject, depending on the tool you use.

When later you replace solution user certificates with custom certificates, provide the complete signing certificate chain of the third-party CA.

Note:

Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates.