vSphere provides security by using certificates to encrypt communications, authenticate services, and sign tokens.

vSphere uses certificates to:
  • Encrypt communications between two nodes, such as vCenter Server and an ESXi host.
  • Authenticate vSphere services.
  • Perform internal actions such as signing tokens.

vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi. VMCA is installed on every Platform Services Controller, immediately securing the solution without any other modification. Keeping this default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates in the event they expire.

vSphere also provides a mechanism to replace certain certificates with your own certificates. However, replace only the SSL certificate that provides encryption between nodes, to keep your certificate management overhead low.

The following options are recommended for managing certificates.

Table 1. Recommended Options for Managing Certificates
Mode Description Advantages
VMCA Default Certificates VMCA provides all the certificates for vCenter Server and ESXi hosts. Simplest and lowest overhead. VMCA can manage the certificate lifecycle for vCenter Server and ESXi hosts.
VMCA Default Certificates with External SSL Certificates (Hybrid Mode) You replace the Platform Services Controller and vCenter Server Appliance SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts. Optionally, for high-security conscious deployments, you can replace the ESXi host SSL certificates as well. Simple and secure. VMCA manages internal certificates but you get the benefit of using your corporate-approved SSL certificates, and having those certificates trusted by your browsers.

VMware does not recommend replacing either solution user certificates or STS certificates, nor using a subordinate CA in place of the VMCA. If you choose either of these options, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at http://vmware.com/go/hybridvmca.

You can use the following options to replace the existing certificates:

Table 2. Different Approaches to Certificate Replacement
Option See
Use the vSphere Client. Starting with vSphere 6.7, the Platform Services Controller is managed through the vSphere Client. Managing Certificates with the vSphere Client
Use the vSphere Certificate Manager utility from the command line. Managing Certificates with the vSphere Certificate Manager Utility
Use CLI commands for manual certificate replacement. Managing Services and Certificates with CLI Commands