In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions your environment with certificates. Certificates include machine SSL certificates for secure connections, solution user certificates for authentication of services to vCenter Single Sign-On, and certificates for ESXi hosts.

The following certificates are in use.

Table 1. Certificates in vSphere 6.0

Certificate

Provisioned

Comments

ESXi certificates

VMCA (default)

Stored locally on ESXi host

Machine SSL certificates

VMCA (default)

Stored in VECS

Solution user certificates

VMCA (default)

Stored in VECS

vCenter Single Sign-On SSL signing certificate

Provisioned during installation.

Manage this certificate from the vSphere Web Client.

Warning:

Do not change this certificate in the filesystem or unpredictable behavior results.

VMware Directory Service (VMDIR) SSL certificate

Provisioned during installation.

Starting with vSphere 6.5, the machine SSL certificate is used as the vmdir certificate.

ESXi

ESXi certificates are stored locally on each host in the /etc/vmware/ssl directory. ESXi certificates are provisioned by VMCA by default, but you can use custom certificates instead. ESXi certificates are provisioned when the host is first added to vCenter Server and when the host reconnects.

Machine SSL Certificates

The machine SSL certificate for each node is used to create an SSL socket on the server side. SSL clients connect to the SSL socket. The certificate is used for server verification and for secure communication such as HTTPS or LDAPS.

Each node has its own machine SSL certificate. Nodes include vCenter Server instance, Platform Services Controller instance, or embedded deployment instance. All services that are running on a node use the machine SSL certificate to expose their SSL endpoints.

The following services use the machine SSL certificate.

  • The reverse proxy service on each Platform Services Controller node. SSL connections to individual vCenter services always go to the reverse proxy. Traffic does not go to the services themselves.

  • The vCenter service (vpxd) on management nodes and embedded nodes.

  • The VMware Directory Service (vmdir) on infrastructure nodes and embedded nodes.

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information. Session information is sent over SSL between components.

Solution User Certificates

A solution user encapsulates one or more vCenter Server services. Each solution user must be authenticated to vCenter Single Sign-On. Solution users use certificates to authenticate to vCenter Single Sign-On through SAML token exchange.

A solution user presents the certificate to vCenter Single Sign-On when it first has to authenticate, after a reboot, and after a timeout has elapsed. The timeout (Holder-of-Key Timeout) can be set from the vSphere Web Client or Platform Services Controller Web interface and defaults to 2592000 seconds (30 days).

For example, the vpxd solution user presents its certificate to vCenter Single Sign-On when it connects to vCenter Single Sign-On. The vpxd solution user receives a SAML token from vCenter Single Sign-On and can then use that token to authenticate to other solution users and services.

The following solution user certificate stores are included in VECS on each management node and each embedded deployment:

  • machine: Used by component manager, license server, and the logging service.

    Note:

    The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange. The machine SSL certificate is used for secure SSL connections for a machine.

  • vpxd: vCenter service daemon (vpxd) store on management nodes and embedded deployments. vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single Sign-On.

  • vpxd-extensions: vCenter extensions store. Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.

  • vsphere-webclient: vSphere Web Client store. Also includes some additional services such as the performance chart service.

Each Platform Services Controller node includes a machine certificate.

Internal Certificates

vCenter Single Sign-On certificates are not stored in VECS and are not managed with certificate management tools. As a rule, changes are not necessary, but in special situations, you can replace these certificates.

vCenter Single Sign-On Signing Certificate

The vCenter Single Sign-On service includes an identity provider service which issues SAML tokens that are used for authentication throughout vSphere. A SAML token represents the user's identity, and also contains group membership information. When vCenter Single Sign-On issues SAML tokens, it signs each token with its signing certificate so that clients of vCenter Single Sign-On can verify that the SAML token comes from a trusted source.

vCenter Single Sign-On issues holder-of-key SAML tokens to solution users and bearer tokens other users, which log in with a user name and password.

You can replace this certificate from the vSphere Web Client. See Refresh the Security Token Service Certificate.

VMware Directory Service SSL Certificate

Starting with vSphere 6.5, the machine SSL certificate is used as the VMware directory certificate. For earlier versions of vSphere, see the corresponding documentation.

vSphere Virtual Machine Encryption Certificates

The vSphere Virtual Machine Encryption solution connects with an external Key Management Server (KMS). Depending on how the solution authenticates to the KMS, it might generate certificates and store them in VECS. See the vSphere Security documentation.