Encryption and security certificates

ESXi and vCenter Server are well supported with standard X.509 version 3 certificates (you can get more details on these certificates at https://tools.ietf.org/html/rfc6187 ) to encrypt session data between components. By default, VMware Certificate Authority (VMCA) provisions vCenter Server components and ESXi hosts with signed certificates.

VMware virtual infrastructure use the following certificates by default:

  • ESXi certificates: Used for SSL communication to and from the ESXi host. VMware CA delivers these certificates by default, and they are stored locally on each ESXi host.
  • Machine SSL certificates: Used for communicating to and from vCenter Servers and Platform Service Controller instances. All communication goes through the reverse proxy, then a single certificate can be used. VMware CA provisions these certificates and they are stored in the VMware Endpoint Certificate Store (VECS).
  • Solution user certificates: Used by all solutions and services added to vCenter SSO for inter-component communication. VMware CA provisions these certificates and they are stored in VECS.
  • vCenter SSO signing certificate: All certificates provisioned by VMCA have been signed by a root certificate. The root certificate is provisioned during installation of the Platform Services Controller and is stored on the local host file system. This can be changed as per requirement, but it should be managed by the vSphere Web Client.

Signed certificates are now used for the entire infrastructure and are automatically regenerated as needed for all solutions and for vCenter systems (where they are added to the Platform Services Controller domain). This solves many of the challenges that existed in previous releases. Note, however, that certificate operations are currently only administered through the command line.

If signed certificates are required, the vCenter SSO signing certificate can be replaced with an equivalent subordinate VMCA certificate from an external VMCA to allow it to function as a member of the certificate hierarchy in the environment.

For more details, see the vSphere Security Certificates section of the vSphere Security guide
(https://docs.vmware.com/en/VMware-vSphere/6.0/vsphere-esxi-vcenter-server-602-security-guide.pdf).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.217.186