Home About VCP Virtual Home Lab VCP6 Study Guide VCAP6-DCV Deploy Study guide VCAP6 – DCV Design Collection
in SSL Certificate - 02 Jul, 2016
by mordi - 5 comments
VCAP-DCV Deploy Objective 8.2 – Part 2

In this section we will continue  to cover “Manage SSL certificates”

Here are the objective from the blueprint :

  • Configure and manage VMware Endpoint Certificate Store
  • Replace default certificate with CA-signed certificate
  • Generate ESXi host certificates
  • Enable / Disable certificate checking
  • Configure SSL timeouts according to a deployment plan

Lab Setup:

Using VMware workstation:

  • Microsoft Servers 2012R2 for Services (ADCS,DNS , DHCP, etc…)
  • Installed esx0
  • Installed VCSA

 Documents used:

  • vSphere Security Guide
  • VMware KB 2112016

Configure and manage VMware Endpoint Certificate Store:

VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on.

VECS includes the following stores:

  • Machine SSL store  (MACHINE_SSL_CERT)
  • Trusted root store (TRUSTED_ROOTS)
  • Solution user stores
    • machine
    • vpxd
    • vpxd-extensions
    • vsphere-webclient
  • vSphere Certificate Manager Utility backup store (BACKUP_STORE)
  • Other stores

The vecs-cli and the dir-cli command sets allows you to manage VMware Certificate Store (VECS) instances. Both commands are located in /usr/lib/vmware-vmafd/bin/

To see a list of all the stores runs the following command: ./vecs-cli store list



The command ./vecs-cli –help will show all the operation that you can perform on a store.


Replace default certificate with CA-signed certificate:

To replace the default certificate with CA-signed certificate you first need to generate the cert sent it to the CA and copy the new cert to all esxi hosts:

Working directory /etc/vmware/ssl,

  • Rename the existing certificates using the following commands. mv rui.crt orig.rui.crt mv rui.key orig.rui.key 3
  • Copy the certificates that you want to use to /etc/vmware/ssl.
  • Rename the new certificate and key to rui.crt and rui.key.
  • Restart the host after you install the new certificate

Generate ESXi host certificates:

To generate a new ESXi host cert, navigate to the vCenter advanced settings and click edit , In the search type certmgmt (I change the location to oceanside)


Once done go to each host under manage>>certification click on Renew and verify your changes.



For the following two objectives i cant find anyting in the document or google for vSphere v6. If you have any information about this objective please comment!

  • Enable / Disable certificate checking:
  • Configure SSL timeouts according to a deployment plan:

Leave a Reply

  • Benja //10 Jul 2016

    • Enable / Disable certificate checking

    To prevent man-in-the-middle attacks and to fully use the security that certificates provide, certificate checking is enabled by default.
    Note certificate checking is required to use VMware Fault Tolerance

    vSphere Web Client

    • Select vCenter | Manage | settings | General | Edit Settings | SSL settings
    • Verify check box is selected

    NOTE certificate checking can’t be disabled from vSphere 5.5, checkbox is gray out.
    In vSphere Client the SSL settings have been REMOVED. So it means that it can’t be disabled

  • Benja //10 Jul 2016

    • Configure SSL timeouts

    You can configure SSL timeouts for ESXi by editing a configuration file on the ESXi host.

    Timeout periods can be set for two types of idle connections:

    • The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi.
    • The Handshake Timeout setting applies to connections that have not completed the SSL handshake process with port 443 of ESXi.

    Both connection timeouts are set in milliseconds.
    Idle connections are disconnected after the timeout period. By default, fully established SSL connections have a timeout of infinity.

  • Benja //10 Jul 2016

    sorry i get an error inserting the procedure for “Configure SSL timeouts”…

  • Gale Tea //09 Aug 2016

    Is there anyway these brown bags can be cataloged to reflect the areas of VCAP the are covering as the headings are a bit hit and miss. Great content though