The VMware Certificate Authority (VMCA) provisions your environment with certificates. Certificates include machine SSL certificates for secure connections, solution user certificates for authentication of services to vCenter Single Sign-On, and certificates for ESXi hosts.

The following certificates are in use.
Table 1. Certificates in vSphere
Certificate Provisioned Comments
ESXi certificates VMCA (default) Stored locally on ESXi host.
Machine SSL certificates VMCA (default) Stored in VMware Endpoint Certificate Store (VECS).
Solution user certificates VMCA (default) Stored in VECS.
vCenter Single Sign-On SSL signing certificate Provisioned during installation. Manage this certificate from the command line.
Note: Do not change this certificate in the filesystem or unpredictable behavior results.
VMware Directory Service (VMDIR) SSL certificate Provisioned during installation. In vSphere 6.5 and later, the machine SSL certificate is used as the vmdir certificate.
SMS self-signed certificates Provisioned during registration of the IOFilter Provider. In vSphere 7.0 and later, SMS self-signed certificates are stored in /etc/vmware/ssl/iofiltervp_castore.pem. Before vSphere 7.0, SMS self-signed certificates are stored in /etc/vmware/ssl/castore.pem. In addition, the SMS Store can also store VVOL VASA Provider's (version 4.0 and earlier) self-signed certificates when retainVasaProviderCertificate=True.

ESXi Certificates

ESXi certificates are stored locally on each host in the /etc/vmware/ssl directory. ESXi certificates are provisioned by VMCA by default, but you can use custom certificates instead. ESXi certificates are provisioned when the host is first added to vCenter Server and when the host reconnects. For more information, see the vSphere Security documentation.

Machine SSL Certificates

The machine SSL certificate for each node is used to create an SSL socket on the server side. SSL clients connect to the SSL socket. The certificate is used for server verification and for secure communication such as HTTPS or LDAPS.

Each vCenter Server node has its own machine SSL certificate. All services that are running on a vCenter Server node use the machine SSL certificate to expose their SSL endpoints.

The following services use the machine SSL certificate.
  • The reverse proxy service. SSL connections to individual vCenter services always go to the reverse proxy. Traffic does not go to the services themselves.
  • The vCenter Server service (vpxd).
  • The VMware Directory Service (vmdir).

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information. Session information is sent over SSL between components.

Solution User Certificates

A solution user encapsulates one or more vCenter Server services. Each solution user must be authenticated to vCenter Single Sign-On. Solution users use certificates to authenticate to vCenter Single Sign-On through SAML token exchange.

A solution user presents the certificate to vCenter Single Sign-On when it first has to authenticate, after a reboot, and after a timeout has elapsed. The timeout (Holder-of-Key Timeout) can be set from the vSphere Client and defaults to 2592000 seconds (30 days).

For example, the vpxd solution user presents its certificate to vCenter Single Sign-On when it connects to vCenter Single Sign-On. The vpxd solution user receives a SAML token from vCenter Single Sign-On and can then use that token to authenticate to other solution users and services.

The following solution user certificate stores are included in VECS:

  • machine: Used by the license server and the logging service.
    Note: The machine solution user certificate has nothing to do with the machine SSL certificate. The machine solution user certificate is used for the SAML token exchange. The machine SSL certificate is used for secure SSL connections for a machine.
  • vpxd: vCenter service daemon (vpxd) store. vpxd uses the solution user certificate that is stored in this store to authenticate to vCenter Single Sign-On.
  • vpxd-extension: vCenter extensions store. Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users.
  • vsphere-webclient: vSphere Client store. Also includes some additional services such as the performance chart service.
  • wcp: VMware vSphere® with VMware Tanzu™ store. Also used for vSphere Cluster Services.

Internal Certificates

vCenter Single Sign-On certificates are not stored in VECS and are not managed with certificate management tools. As a rule, changes are not necessary, but in special situations, you can replace these certificates.
vCenter Single Sign-On Signing Certificate
The vCenter Single Sign-On service includes an identity provider service that issues SAML tokens that are used for authentication throughout vSphere. A SAML token represents the user's identity, and also contains group membership information. When vCenter Single Sign-On issues SAML tokens, it signs each token with its signing certificate so that clients of vCenter Single Sign-On can verify that the SAML token comes from a trusted source.
You can replace this certificate from the CLI. See Replace a vCenter Server STS Certificate Using the Command Line.
VMware Directory Service SSL Certificate
In vSphere 6.5 and later, the machine SSL certificate is used as the VMware directory certificate. For earlier versions of vSphere, see the corresponding documentation.
vSphere Virtual Machine Encryption Certificates
The vSphere Virtual Machine Encryption solution connects with a key server. Depending on how the solution authenticates to the key server, it might generate certificates and store them in VECS. See the vSphere Security documentation.