Certificate requirements depend on whether you use VMCA as an intermediate CA or you use custom certificates. Requirements are also different for machine certificates and for solution user certificates.

Before you begin, ensure that all nodes in your environment are time synchronized.

Requirements for All Imported Certificates

  • Key size: 2048 bits or more (PEM encoded)
  • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When you add keys to VECS, they are converted to PKCS8.
  • x509 version 3
  • SubjectAltName must contain DNS Name=machine_FQDN
  • CRT format
  • Contains the following Key Usages: Digital Signature, Key Encipherment.
  • Enhanced Key Usage can be either empty or contain Server Authentication.
vSphere does not support the following certificates.
  • Certificates with wildcards
  • The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4, and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended.
  • The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.

Certificate Compliance to RFC 2253

The certificate must be in compliance with RFC 2253.

If you do not generate CSRs using Certificate Manager, ensure that the CSR includes the following fields.

String X.500 AttributeType
CN commonName
L localityName
ST stateOrProvinceName
O organizationName
OU organizationalUnitName
C countryName
STREET streetAddress
DC domainComponent
UID userid
If you generate CSRs using Certificate Manager, you are prompted for the following information, and Certificate Manager adds the corresponding fields to the CSR file.
  • The password of the [email protected] user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
  • If you are generating a CSR in an environment with an external Platform Services Controller, you are prompted for the host name or IP address of the Platform Services Controller.
  • Information that Certificate Manager stores in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.
    • Password for [email protected].
    • Two-letter country code
    • Company name
    • Organization name
    • Organization unit
    • State
    • Locality
    • IP address (optional)
    • Email
    • Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
    • IP address of Platform Services Controller if you are running the command on a vCenter Server (management) node.

Requirements When Using VMCA as an Intermediate CA

When you use VMCA as an intermediate CA, the certificates must meet the following requirements.
Certificate Type Certificate Requirements
Root certificate
  • You can use vSphere Certificate Manager to create the CSR. See Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA).
  • If you prefer to create the CSR manually, the certificate that you send to be signed must meet the following requirements.
    • Key size: 2048 bits or more
    • PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When keys are added to VECS, they are converted to PKCS8.
    • x509 version 3
    • If you are using custom certificates, the CA extension must be set to true for root certificates, and cert sign must be in the list of requirements.
    • CRL signing must be enabled.
    • Enhanced Key Usage can be either empty or contain Server Authentication.
    • No explicit limit to the length of the certificate chain. VMCA uses the OpenSSL default, which is 10 certificates.
    • Certificates with wildcards or with more than one DNS name are not supported.
    • You cannot create subsidiary CAs of VMCA.

      See the VMware knowledge base article at http://kb.vmware.com/kb/2112009, Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0, for an example using Microsoft Certificate Authority.

Machine SSL certificate

You can use vSphere Certificate Manager to create the CSR or create the CSR manually.

If you create the CSR manually, it must meet the requirements listed previously under Requirements for All Imported Certificates. You also have to specify the FQDN for the host.

Solution user certificate

You can use vSphere Certificate Manager to create the CSR or create the CSR manually.

Note: You must use a different value for Name for each solution user. If you generate the certificate manually, this might show up as CN under Subject, depending on the tool you use.

If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.

Requirements for Custom Certificates

When you want to use custom certificates, the certificates must meet the following requirements.
Certificate Type Certificate Requirements
Machine SSL certificate The machine SSL certificate on each node must have a separate certificate from your third-party or enterprise CA.
  • You can generate the CSRs using vSphere Certificate Manager or create the CSR manually. The CSR must meet the requirements listed previously under Requirements for All Imported Certificates.
  • If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.
  • For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.
Solution user certificate Each solution user on each node must have a separate certificate from your third-party or enterprise CA.
  • You can generate the CSRs using vSphere Certificate Manager or prepare the CSR yourself. The CSR must meet the requirements listed previously under Requirements for All Imported Certificates.
  • If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For.

    Note: You must use a different value for Name for each solution user. A manually generated certificate might show up as CN under Subject, depending on the tool you use.

When later you replace solution user certificates with custom certificates, provide the complete signing certificate chain of the third-party CA.

Note: Do not use CRL Distribution Points, Authority Information Access, or Certificate Template Information in any custom certificates.