vSphere 6.0: Certificate Management for ESXi Hosts

In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each new ESXi host with a signed certificate that has VMCA as the root certificate authority by default. Provisioning happens when the host is added to vCenter Server explicitly or as part of installation or upgrade to ESXi 6.0 or later. vCenter Server supports the folowing certificate modes for ESXi hosts:

  •    VMware Certificate Authority (VMCA) (default)
  •    Custom Certificate Authority – in this mode, customer is responsible for managing the certificates. Certificated cannot be refreshed or renewed from vSphere Web Client.
  •    Thumbprint Mode – vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.0.

In vSphere 6.0, you can view information about certificate expiration using vSphere Web Client. To view host must be in VMCA mode or Custom mode; if in thumbprint mode you can view certification status information for the host. Use the following steps to do that:

1.  Login to vCenter 6.0 and go to Home > Hosts and Clusters.
2.  Select the vCenter Server in the left pane and then go to Related Objects > Hosts.
3.  Right-click the Name field and select Show/Hide Columns. Then select “Certificate Valid To“, click OK, and scroll to the right if necessary.
See attached screenshots; enlarge each screenshot by clicking on it.

To view certificate details for a single ESXi host, follow the steps below:
1.  Login to vCenter 6.0 and go to Home > Hosts and Clusters.
2.  Select one of the hosts from the cluster and go to Manage > Settings > System > Certificate
See attached screenshot; enlarge each screenshot by clicking on it.
vsphere6_3

By default, when a host is added to a vCenter Server system, vCenter Server sends a Certificate Signing Request (CSR) for the host to VMCA. You can change some of the default settings in the CSR using the vCenter Server Advanced Settings in the vSphere Web Client. Follow the steps below to change certificate default settings:
1.  Login to vCenter 6.0 and go to Home > Hosts and Clusters.
2.  Select the vCenter Server in the left pane and then go to Manage > Settings > Advanced Settings. Click Edit
3.  In the Filter box, enter certmgmt to display only certificate management parameters.
4.  Change the value of the existing parameters e.g. modify Palo Alto to SFO and click OK.

The next time you add a host to vCenter Server, the new settings are used in the CSR that vCenter Server sends to VMCA and in the certificate that is assigned to the host. For existing hosts that are already added to vCenter Server, “Refresh” their certificate and the new change is applied.
See attached screenshots; enlarge each screenshot by clicking on it.

In most cases, using VMCA to provision the ESXi hosts in your environment is the best solution. If corporate policy requires that you use custom certificates with a different root CA, you can edit the vCenter Server advanced options so that the hosts are not automatically provisioned with VMCA certificates when you refresh certificates. You are then responsible for the certificate management in your environment. Follow the steps below to change the certificate mode:
1.  Login to vCenter 6.0 and go to Home > Hosts and Clusters.
2.  Select the vCenter Server in the left pane and then go to Manage > Settings > Advanced Settings. Click Edit
3.  In the Filter box, enter certmgmt to display only certificate management parameters.
4.  Change the value of vpxd.certmgmt.mode to custom if you intend to manage your own certificates, and to thumbprint if you temporarily want to use thumbprint mode, and click OK
See attached screenshot; enlarge each screenshot by clicking on it.

vsphere6_06

 

References:
1.  VMware vSphere 6.0 Security Guide
2.
3.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website