vSphere provides security by using certificates to encrypt communications, authenticate services, and sign tokens.
How Does vSphere Use Certificates
- Encrypt communications between two nodes, such as a vCenter Server and an ESXi host.
- Authenticate vSphere services.
- Perform internal actions such as signing tokens.
What Is the VMware Certificate Authority
vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi. VMCA is installed on every vCenter Server host, immediately securing the solution without any other modification. Keeping this default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates in the event they expire.
vSphere also provides a mechanism to replace certain certificates with your own certificates. However, replace only the SSL certificate that provides encryption between nodes, to keep your certificate management overhead low.
What Options Do You Have to Manage vSphere Certificates
The following options are recommended for managing certificates.
| Mode | Description | Advantages |
|---|---|---|
| VMCA Default Certificates | VMCA provides all the certificates for vCenter Server and ESXi hosts. | Simplest and lowest overhead. VMCA can manage the certificate life cycle for vCenter Server and ESXi hosts. |
| VMCA Default Certificates with External SSL Certificates (Hybrid Mode) | You replace the vCenter Server SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts. Optionally, for high-security conscious deployments, you can replace the ESXi host SSL certificates as well. | Simple and secure. VMCA manages internal certificates but you get the benefit of using your corporate-approved SSL certificates, and having those certificates trusted by your browsers. |
What Tools Are Available to Replace vSphere Certificates
You can use the following options to replace the existing certificates.
| Option | See |
|---|---|
| Use the vSphere Client. | Managing Certificates Using the vSphere Client |
| Use the vSphere Automation API to manage the life cycle of certificates. | VMware vSphere Automation SDKs Programming Guide |
| Use the vSphere Certificate Manager utility from the command line. | Managing Certificates Using the vSphere Certificate Manager Utility |
| Use CLI commands for manual certificate replacement. | vSphere Certificates and Services CLI Command Reference |
