In a production environment, it is important to use digital certificates to secure the connection between your computer and the VMware vCenter Server (VCSA) that you are trying to access.
In addition, using certificates signed by your certification authority allows you to automatically verify the identity of the server you are trying to access and thus block the connection in the event of a problem.
By default, when you attempt to access the web interface of your VMware vCenter Server (VCSA), a warning is displayed.
In Mozilla Firefox, you will receive the warning "Warning: Potential Security Risk Ahead".
To still access your server's web interface, click on: Advanced.
Next, Firefox will tell you that it doesn't trust [domain name or IP address of your VCSA server], because the issuer of its certificate is unknown.
The issuer corresponding to the certification authority that issued the certificate used to secure the connection to your server.
The error code displayed is: SEC_ERROR_UNKNOWN_ISSUER.
Click "View Certificate" to see the certificate in use or click "Accept the Risk and Continue" to ignore this warning.
If you click on the "View certificate" link, you will see that the certificate:
If you ignore this warning, your web browser will tell you that there is a problem with securing the connection to this server.
Log in as: administrator@vsphere.local.
Once connected, you will be able to access the VMware vSphere Client will appear.
Go to the menu and click on: Administration.
In the left menu that appears, click on: Certificates -> Certificate Management.
On the "Certificate Management" page that appears, indicate:
Then click on the button: Login and manage certificates.
To secure access to your VMware vCenter Server (VCSA) and more specifically to its VMware vSphere Client, you will need to replace the machine SSL certificate displayed at the top of the page.
Click the "View details" link for the "__MACHINE_CERT" certificate.
Note: the "View certificates in another ..." button at the top of the page is a button allowing you to disconnect from this page to return to the form in the previous image.
As you can see, this "__MACHINE_CERT" certificate is:
By default, on VMware vCenter Server (VCSA), you will find a "VMCA" certification authority (VMware Certificate Authority) which allows you to manage all the certificates of your VMware vSphere infrastructure (VMware ESXi hosts, VMware vCenter Server (VCSA) servers, ...).
The certificates generated and the private keys associated with them emanate from this "VMCA" certification authority used internally by your VMware vSphere infrastructure. All data from your VMCA certification authority (machine SSL certificates, solution certificates, trusted root certificates, private keys, ...) is stored in the VMware Endpoint Certificate Store (VMware Endpoint Certificate Store / VECS).
Since the VMCA certificate authority created by default on your VMware vCenter Server (VCSA) is not a certificate authority recognized by all computers and servers worldwide, all certificates that emanate from it are considered invalid (unreliable). Except for your VMware vCenter Server (VCSA) since the certificate of this VMCA certificate authority is present in the "Trusted Root Certificates" section of it.
Note that the common name of this VMCA certification authority visible in your server's certificate management is "CA" and not VMCA.
To learn more about the VMware Endpoint Certificate Store (VECS), visit the official VMware documentation : VMware Endpoint Certificate Store Overview.
When you want to secure access to your VMware vCenter Server (VCSA) and more particularly its web client (VMware vSphere Client), you have several options:
The first option to secure access to your VMware vSphere virtual infrastructure is to make the VMware VMware Certificate Authority (VMCA) become a subordinate (secondary) certification authority of your own root certification authority.
Because the new certificate for this VMCA CA will come from your own CA, any certificates it generates will be considered valid for computers and servers that already trust your own root CA.
However, this also means that a malicious administrator of your VMware vSphere virtual infrastructure could also generate valid certificates within your company for other computers or servers outside of your VMware vSphere infrastructure.
This technique therefore greatly simplifies the management of certificates, but can pose security problems.
This method is therefore very rarely if ever used.
A VMware vSphere virtual infrastructure is always composed of several servers and mainly:
If you want to use custom certificates for all components of your VMware vSphere infrastructure, you will therefore need to generate certificates for all your VMware ESXi hosts, your VMware vCenter Server (VCSA) servers, but also for the solutions used internally by vCenter Server.
This can quickly become difficult to manage, depending on the number of VMware ESXi hosts and VMware vCenter Servers (VCSA) servers in your VMware vSphere virtual infrastructure. Especially since this also means that you will have to submit dozens or even hundreds of certificate requests (CSR) to your own certificate authority.
This method is the most secure, but as noted previously, it can quickly become unmanageable depending on the size of your VMware vSphere virtual infrastructure. Additionally, all generated certificates will also need to be replaced when they are about to expire.
To best secure your VMware vSphere virtual infrastructure and facilitate the management of its certificates, a new hybrid model has been born with VMware vSphere 6.0.
As you see in the image below, with this hybrid model, you will use:
This method is the most practical, because it allows you to benefit from security while making it easier to manage your SSL certificates.
It is therefore this method that we will use in this tutorial.
If you would like more information about the VMCA certificate authority and the different certificate management methods under VMware vSphere, refer to the "New Product Walkthrough – Hybrid vSphere SSL Certificate Replacement" page of the official VMware blog.
VMware 2/17/2023
VMware 6/29/2022
VMware 8/12/2022
VMware 10/2/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment