vSphere provides security by using certificates to encrypt communications, authenticate services, and sign tokens.

How Does vSphere Use Certificates

vSphere uses certificates to:
  • Encrypt communications between two nodes, such as a vCenter Server and an ESXi host.
  • Authenticate vSphere services.
  • Perform internal actions such as signing tokens.

What Is the VMware Certificate Authority

vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi. VMCA is installed on every vCenter Server host, immediately securing the solution without any other modification. Keeping this default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates in the event they expire.

vSphere also provides a mechanism to replace certain certificates with your own certificates. However, replace only the SSL certificate that provides encryption between nodes, to keep your certificate management overhead low.

What Options Do You Have to Manage vSphere Certificates

The following options are recommended for managing certificates.

Table 1. Recommended Options for Managing vSphere Certificates
Mode Description Advantages
VMCA Default Certificates VMCA provides all the certificates for vCenter Server and ESXi hosts. Simplest and lowest overhead. VMCA can manage the certificate life cycle for vCenter Server and ESXi hosts.
VMCA Default Certificates with External SSL Certificates (Hybrid Mode) You replace the vCenter Server SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts. Optionally, for high-security conscious deployments, you can replace the ESXi host SSL certificates as well. Simple and secure. VMCA manages internal certificates but you get the benefit of using your corporate-approved SSL certificates, and having those certificates trusted by your browsers.

VMware does not recommend replacing either solution user certificates or STS certificates, nor using a subordinate CA in place of the VMCA. If you choose either of these options, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk. For more information about managing certificates within a vSphere environment, see the blog post titled New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement at http://vmware.com/go/hybridvmca.

What Tools Are Available to Replace vSphere Certificates

You can use the following options to replace the existing certificates.

Table 2. Different Approaches to vSphere Certificate Replacement
Option See
Use the vSphere Client. Managing Certificates Using the vSphere Client
Use the vSphere Automation API to manage the life cycle of certificates. VMware vSphere Automation SDKs Programming Guide at https://developer.vmware.com/docs/11699/vmware-vsphere-automation-sdks-programming-guide
Use the vSphere Certificate Manager utility from the command line. Managing Certificates Using the vSphere Certificate Manager Utility
Use CLI commands for manual certificate replacement. vSphere Certificates and Services CLI Command Reference