Certificate requirements depend on whether you use VMCA as an intermediate CA or you use custom certificates. Requirements are also different for machine certificates and for solution user certificates.
Before you begin, ensure that all nodes in your environment are time synchronized.
Requirements for All Imported Certificates
- Key size: 2048 bits or more (PEM encoded)
- PEM format. VMware supports PKCS8 and PKCS1 (RSA keys). When you add keys to VECS, they are converted to PKCS8.
- x509 version 3
- SubjectAltName must contain DNS Name=machine_FQDN
- CRT format
- Contains the following Key Usages: Digital Signature, Key Encipherment.
- Enhanced Key Usage can be either empty or contain Server Authentication.
- Certificates with wildcards.
- The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5WithRSAEncryption 1.2.840.113549.1.1.4, and sha1WithRSAEncryption 1.2.840.113549.1.1.5 are not recommended.
- The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 is not supported.
Certificate Compliance to RFC 2253
The certificate must be in compliance with RFC 2253.
If you do not generate CSRs using Certificate Manager, ensure that the CSR includes the following fields.
String | X.500 AttributeType |
---|---|
CN | commonName |
L | localityName |
ST | stateOrProvinceName |
O | organizationName |
OU | organizationalUnitName |
C | countryName |
STREET | streetAddress |
DC | domainComponent |
UID | userid |
- The password of the [email protected] user, or for the administrator of the vCenter Single Sign-On domain that you are connecting to.
- If you are generating a CSR in an environment with an external Platform Services Controller, you are prompted for the host name or IP address of the Platform Services Controller.
- Information that Certificate Manager stores in the certool.cfg file. For most fields, you can accept the default or provide site-specific values. The FQDN of the machine is required.
- Password for [email protected].
- Two-letter country code
- Company name
- Organization name
- Organization unit
- State
- Locality
- IP address (optional)
- Host name, that is, the fully qualified domain name of the machine for which you want to replace the certificate. If the host name does not match the FQDN, certificate replacement does not complete correctly and your environment might end up in an unstable state.
- IP address of Platform Services Controller if you are running the command on a vCenter Server (management) node.
Requirements When Using VMCA as an Intermediate CA
Certificate Type | Certificate Requirements |
---|---|
Root certificate |
|
Machine SSL certificate | You can use the vSphere Certificate Manager to create the CSR or create the CSR manually. If you create the CSR manually, it must meet the requirements listed previously under Requirements for All Imported Certificates. You also have to specify the FQDN for the host. |
Solution user certificate | You can use vSphere Certificate Manager to create the CSR or create the CSR manually.
Note: You must use a different value for Name for each solution user. If you generate the certificate manually, this might show up as
CN under
Subject, depending on the tool you use.
If you use vSphere Certificate Manager, the tool prompts you for certificate information for each solution user. vSphere Certificate Manager stores the information in certool.cfg. See Information that Certificate Manager Prompts For. |
Requirements for Custom Certificates
Certificate Type | Certificate Requirements |
---|---|
Machine SSL certificate | The machine SSL certificate on each node must have a separate certificate from your third-party or enterprise CA.
|
Solution user certificate | Each solution user on each node must have a separate certificate from your third-party or enterprise CA.
When later you replace solution user certificates with custom certificates, provide the complete signing certificate chain of the third-party CA. |