vSphere 6.0.x includes the VMware Certificate Authority (VMCA). By default, VMCA generates all internal certificates used in vSphere environment, including certificates for newly added ESXi hosts and storage VASA providers that manage or represent Virtual Volumes storage systems.
- Certificates can be directly provided by the VASA provider for long-term use, and can be either self-generated and self-signed, or derived from an external Certificate Authority.
- Certificates can be generated by VMCA for use by the VASA provider.
- When a VASA provider is first added to vCenter Server storage management service (SMS), it produces a self‐signed certificate.
- After verifying the certificate, SMS requests a Certificate Signing Request (CSR) from the VASA provider.
- After receiving and validating the CSR, SMS presents it to VMCA on behalf of the VASA provider, requesting a CA signed certificate.
VMCA can be configured to function as a standalone CA, or as a subordinate to an enterprise CA. If you set up VMCA as a subordinate CA, VMCA signs the CSR with the full chain.
- The signed certificate along with the root certificate is passed to the VASA provider, so it can authenticate all future secure connections originating from SMS on vCenter Server and on ESXi hosts.