vSphere - Certificates

#VCP vSphere certificates are signed and used in different parts of the environment. Here are some examples: - Authenticate vSphere services - Signing tokens for SSO - communication encryption between ESXi and vCenter. Certificates are stored generally in the VECS (VMware Endpoint Certificate Store) which is part of the VMware Authentication Framework Daemon (VMAFD). ## VMCA VMCA is vSpheres own certificate authority. It issues certificates for different internal VCSA services and ESXi host certificates. - STS Signing certificate ## Certification methods ### Default vCenters VMCA provides all the certificates for vCenter and ESXi hosts. ### Hybrid mode Using a certificate from an authoritave CA from your company for example VMCA can be installed as a subordinate CA/intermediate CA, functioining in a hybrid mode. VMCA in hybrid mode will sign it's own certificates for all parts of the vCenter environment using the sub-CA certificate. ### Custom/Partial When replacing certificates on your VCSA without issuing an intermediate CA with VMCA, VMware recommends to only issue custom certificates for the Machine SSL Certificate. This will replace the certificate for the VC host itself and the vSphere UI. ## What is used for what ### VMCA - ESXi certificate - certificates that replace the certificate of all ESXi hosts. - Host certificates are not stored in the VECS, but on the hosts themselves in `/etc/vmware/ssl` - Solution user interface - Used by solution users to authenticate to vCenter SSO through SAML - vCenter SSO signing certificate - used for authentication - vmdir SSL certificate - since vSphere 6.5 the machine ssl certificate is used for this - vSphere Virtual Machine Encryption certificates - used for virtual machine encryption, relying on a KMS ### Machine SSL - vSphere UI - VC host communications themselves - vpxd ## Certificate requirements - The key size is 2048 bits to 16,384 bits. - VMware supports PKCS8 and PKCS1 (RSA key) PEM formats. When you add keys to VECS, they are converted to PKCS8. - x509 Version 3 is required. - SubjectAltName must contain DNS Name=machine_FQDN. - CRT required. - Key usage: Digital Signature, Key Encipherment - Extended Key usage: empty or Server authentication not supported: - Certificates with wildcards - The algorithms md2WithRSAEncryption 1.2.840.113549.1.1.2, md5With-RSAEncryption 1.2.840.113549.1.1.4, and sha1WithRSAEncryption 1.2.840.113549.1.1.5 - The algorithm RSASSA-PSS with OID 1.2.840.113549.1.1.10 ## 🔗Resources ### VECS https://docs.vmware.com/de/VMware-vSphere/8.0/vsphere-authentication/GUID-EB2D4685-D9B1-4F87-B02D-934FDEECE3F2.html ###