In this section we will continue to cover “Manage SSL certificates”
Here are the objective from the blueprint :
- Configure and manage VMware Endpoint Certificate Store
- Replace default certificate with CA-signed certificate
- Generate ESXi host certificates
Enable / Disable certificate checking Configure SSL timeouts according to a deployment plan
Using VMware workstation:
- Microsoft Servers 2012R2 for Services (ADCS,DNS , DHCP, etc…)
- Installed esx0
- Installed VCSA
- vSphere Security Guide
- VMware KB 2112016
Configure and manage VMware Endpoint Certificate Store:
VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on.
VECS includes the following stores:
- Machine SSL store (MACHINE_SSL_CERT)
- Trusted root store (TRUSTED_ROOTS)
- Solution user stores
- vSphere Certificate Manager Utility backup store (BACKUP_STORE)
- Other stores
The vecs-cli and the dir-cli command sets allows you to manage VMware Certificate Store (VECS) instances. Both commands are located in /usr/lib/vmware-vmafd/bin/
To see a list of all the stores runs the following command: ./vecs-cli store list
The command ./vecs-cli –help will show all the operation that you can perform on a store.
Replace default certificate with CA-signed certificate:
To replace the default certificate with CA-signed certificate you first need to generate the cert sent it to the CA and copy the new cert to all esxi hosts:
Working directory /etc/vmware/ssl,
- Rename the existing certificates using the following commands. mv rui.crt orig.rui.crt mv rui.key orig.rui.key 3
- Copy the certificates that you want to use to /etc/vmware/ssl.
- Rename the new certificate and key to rui.crt and rui.key.
- Restart the host after you install the new certificate
Generate ESXi host certificates:
To generate a new ESXi host cert, navigate to the vCenter advanced settings and click edit , In the search type certmgmt (I change the location to oceanside)
Once done go to each host under manage>>certification click on Renew and verify your changes.
For the following two objectives i cant find anyting in the document or google for vSphere v6. If you have any information about this objective please comment!
- Enable / Disable certificate checking:
- Configure SSL timeouts according to a deployment plan: