For several versions of vSphere, certificate management has seemed easier than in previous versions; certificate management in vSphere 7 is done via vCenter Server. In general, certificates are used for encryption of communication, authentication of vSphere services, or internal actions, such as signing tokens.

VMware vSphere has an internal VMware Certificate Authority that is able to supply all the certificates that are needed for VMware services. VMCA is installed on every vCenter Server host.

All communications within vSphere are protected with Transport Layer Security (TLS). There are ESXi certificates, machine SSL certificates for web-based vSphere clients, and SSO login pages.

Other types of certificates are used for add-on solutions, such as vRealize Operations Manager, vSphere Replication, and others.

Certificate management within vSphere 7

Certificate management within vSphere 7

The configuration of vSphere certificates

Previous releases of vSphere had poor usability in terms of certificate management. However, vSphere 7 has some significant improvements to make creating or replacing certificates as seamless as possible.

VMware Certificate Management (VMCA) is not as advanced as traditional PKI solutions, so you cannot request generating certificates for other purposes. The VMCA is fine for VMware environments, though.

By default, vSphere comes with self-generated certificates so you don't have to lose time during the installation and deployment of the product. If you have to replace the certificates on your own, you'll do it through the certificate management menu, as shown in the above screenshot.

How can vSphere Certificates be managed?

You can manage vSphere certificates not only via the vSphere web client, but also in many other ways.

  • Certificate Management CLIs—This is a command line utility that uses dir-cli, certool, and vecs-cli tools that perform the tasks necessary for certificate management.
  • Certificate Manager Utility—This uses command line tools on the vCenter Server to perform tasks.
  • vSphere REST API—Used via the vCenter server UI. There are now APIs present for nearly everything in vSphere.

Here is a screenshot from the UI showing an API explorer and certificate management:

vCenter API explorer and certificate management via the REST API copy

vCenter API explorer and certificate management via the REST API copy

  • vSphere HTML5 Web client—The traditional way of performing tasks within the client.
  • SSO Configuration Utility—This uses and runs the Security Token Service (STS), which handles certificate management from the vCenter Server command line user interface.

Note that there is also a VMware Fling tool called the SDDC Certificate Tool, which can automatically replace certificates across VMware products.

Four modes of certificate management in vSphere

In vCenter Server, you can run certificate management in four different modes.

Fully Managed Mode—In this case, the VMCA has a new root CA certificate. With this certificate, vCenter Server manages the intra-cluster certificates where hosts communicate among themselves and back to vCenter Server. There is also a machine certificate, which serves when the user logs in to the vSphere client. The VMCA root CA certificate can be downloaded from the main vCenter Server page and imported to other PCs to establish trust. The certificate can be regenerated, and we can replace the information by default with our own information (by default, it contains only VMware information).

Download trusted root CA certificates

Download trusted root CA certificates

Hybrid Mode—This mode allows the VMCA to automate certificate management. It enables automatic replacement of the certificate that the vSphere web client uses, so it is accepted by default by client browsers. The certificates that establish trusts with ESXi hosts are managed manually.

Subordinate CA Mode—In this case, the VMCA can operate as a subordinate CA, which is a delegated authority from a corporate CA. vCenter Server can continue to automate certificate management, but the certificates that are generated are trusted as a part of the organization.

Full Custom Mode—In this mode, the VMCA is not used at all. An admin has to install and manage all the certificates within the vSphere cluster—manually. This can be very time consuming for IT teams. In addition, there might be some downtime, as it needs to be disconnected and reconnected to vCenter Server when you replace certificates on a host. This might be a bit overwhelming and complicated to manage when you have distributed vSwitches or VMware vSAN, which does not like it when vCenter Server is disconnected.

VMware recommends using Hybrid mode, which provides some automation. However, all four modes are fully supported. The security teams of most organizations are working hard to secure the control plane of the administrators, using certificates that are issued by the security team via their enterprise PKI. vSphere Hybrid mode helps in this and allows securing access to vSphere by replacing the Machine SSL certificate.

VMware's best practice says that access to ESXi management should be limited and only executed on an isolated network. To achieve this and still be able to log in directly to ESXi hosts, the VMCA CA certificate can be exported and added to the Trusted Root Certification Authorities container in an Active Directory group policy.

Subscribe to 4sysops newsletter!

Final words

Certificate management was always a difficult task in any organization. Things are hopefully getting better as the software vendors become more organized and face the same dangers different cyberthreats, malware, or from man-in-the-middle attacks. VMware continues to improve their products and recently released a second update of vSphere 7 U2.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account