VCAP6-DCV Deployment – Objective 8.2 – Manage SSL certificates


Main Study Page

Objectives for 8.2 are broke down as the following

  • Configure and manage VMware Certificate Authority
  • Configure and manage VMware Endpoint Certificate Store
  • Enable / Disable certificate checking
  • Generate ESXi host certificates
  • Replace default certificate with CA-signed certificate
  • Configure SSL timeouts according to a deployment plan

Configure and manage VMware Certificate Authority

vSphere 6 introduced the VMware Certificate Authority (VMCA) to improve the deployment of certificate deployment and is included in the Platform Services Controller (PSC).  This applies to whether the PSC is in embedded mode or in external, the VMCA can be configured in three mode.

  • VMCA Default
  • VMCA Enterprise
  • Custom

vmca-590x224

The exam focuses on configuring certificates on the VMCA so I would imagine those certificates would be provided, I have done a previous post on the full process from generating certificates to replacing certificates when running in embedded mode, this post can be found here.

The example I will show will be replacing VMCA Enterprise mode using a PSC/vCenter in external mode.  The process is slightly different between embedded and external, in embedded mode the process will update the PSC and vCenter whereas in an external configuration you have to manually run the process on the PSC and vCenter.

SSH onto the PSC and run the following

>/usr/lib/vmware-vmca/bin/certificate-manager

I select option 2.

vcap8-2-9

It will prompt for credentials, I use the SSO administrator account.  In vSphere 6.0 Update 1 on wards it will prompt to use a configuration file to generate the certificates.  If you choose yes it will prompt you to configure the relevant .cfg files.

vcap8-2-8

Repeat this process for

  • MACHINE_SSL_CERT.cfg
  • machine.cfg
  • vsphere-webclient.cfg

To then generate the certificates I select option 1.  This will prompt to save the files in a location on the appliance.  If the exam already supplies the certificate file then select option 2.  This will prompt for a location of the files on the appliance.  You will need to point it to the .cer file and the custom key .key file.

vcap8-2-10

Confirm and wait for the process to complete.  You will be promoted at this point to complete this process on the vCenter.  I connect to the vCenter using SSH and run the same command.

>/usr/lib/vmware-vmca/bin/certificate-manager

This time I need to start with option 3.

vcap8-2-11

Similar to the PSC I need to add credentials but I also now need to point it to my external PSC.

vcap8-2-12

I again need to enter the details for the following

  • MACHINE_SSL_CERT.cfg

vcap8-2-13

Once complete I need to select option 6.

I again need to enter credentials and point to the external PSC.  I need to enter the details for the following

  • machine.cfg
  • vsphere-webclient.cfg
  • vpxd.cfg
  • vpxd-extension.cfg

Once all filled out choose Yes to complete.  Once complete restart the services.

vcap8-2-14

Now any new ESXi hosts added to vCenter will be configured with certificates from the VMCA.  Note – outside of the exam if you deploy your PSC first, configure the VMCA with internal certs then add the vCenter, the certificates will be automatically deployed to the vCenter.

Now if I browse to my PSC and vCenter appliances I can see the correct certificates are applied.

vcap8-2-15

vcap8-2-16

 


 Configure and manage VMware Endpoint Certificate Store

VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore.  You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs on every PSC whether its embedded or external deployment and management node (vCenter).  VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store.  Its possible to manage certificates and keys in VECS using vecs-cli.  For vecs-cli reference see here.

To list current stores I run the following on a PSC.

>/usr/lib/vmware-vmafd/bin/vecs-cli store list

vcap8-2-3

If I run the same command on my vCenter I get the following.

vcap8-2-4

From here its possible to create entries, delete and create stores and manage existing certificates.  See the reference guide for more details here.


Enable / Disable certificate checking

This is strange topic to cover in this exam, there isnt a lot of information on this for vSphere 6 and I suspect this section is a hang over from previous blueprints.  To view certificate checking for a vCenter in the Web Client I go to – Web Client – vCenter – Manage – Settings – SSL Settings.  This option however cannot be changed as far as I can make out, please feedback if you know more on this subject.  Interestingly the option has been removed from the C# client.

vcap8-2-5


Generate ESXi host certificates

You can add the certificate files manually to a host, first create the certificate separately and add them directly to the below location and reboot the host, this will use those new certs.  The host must be in maintenance mode and you will have to delete the existing rui.crt and rui.key files.

>/etc/vmware/ssl

vcap8-2-1

I can renew the certificates from my VMCA by going to Web Client – Host – Manage – Certificate – Renew

vcap8-2-6

Or I can select a host – Actions – Certificate – Renew Certificate.

vcap8-2-2


Replace default certificate with CA-signed certificate

I believe this section is covered above for both vCenter/PSC and ESXi hosts.


Configure SSL timeouts according to a deployment plan

Solution user certificates are used for authentication to SSO. A solution user presents the certificate to vCenter SSO when it first has to authenticate, after a reboot, and after a timeout has elapsed. The timeout (Holder-of-Key Timeout) can be set from the Web Client and defaults to 2592000 seconds (30 days).

To change the default policy I go to Web Client – Administration – Single Sign-On – Configuration – Policies – Token Policy.

vcap8-2-7

 

 

Leave a comment

Your email address will not be published. Required fields are marked *