Tuesday 10 July 2018

VMware vSphere Certificate Management

In this blog will be focussing on how vSphere Manages Certificates using VMware Certificate Authority (VMCA) and also talk about different type of certificate managed by VMCA including CA certificates, Solutions Users Certificates and Machine Certificates (SSL). But before we go ahead with VMCA let’s talk about certificates in general and discuss about certificates authority.

Public key or Digital Certificates are electronic documents which are digitally signed by a trusted certificate source for example Certificate Authority, a certificate can be signed by a CA or it can also be self signed however other parties are not likely to trust certificates as these signing certificates that are used are not embedded in their system, we can make use of self signed certificates for internal use by adding the public key to all the internal systems so as they can trust the Self - Signed certificates.

Certificate Authority plays an important role in Public Key Infrastructure systems (PKI) where a SSL or TLS client connects to a server and the server sends it Public Key to the Client to Authenticate the server, the exchange of Public Key is not done through Plain text however X.509 certificate (Server Name and Public Key) is sent to the client. Client trusts the CA because client already has the CA’s Public Key which was preinstalled (Safari, Firefox, IE) or manually installed by us.

In VMware vSphere 5.x and earlier versions each service listed on a defined port for example (vpxd 443,Apache Tomcat 8443, Inventory Service 10433, vCenter Single-Sign On 7444, vSphere Web Client 9443 and so on, required it’s own certificate because the authentication methodology was based on SSL thumbprint trust which has to be unique, Starting from vSphere 6.0 the individual service endpoints has been replaced by a reverse HTTP proxy which routes traffic to appropriate service based on the type of incoming request.

With VMware vSphere 6.0 VMware Certificate Authority provisions each ESXi hosts and each vCenter Server service with certificates that are signed by VMware CA by default and are stored in VMware Endpoint Certificate Store (VECS) implemented using VMware Authentication Framework Daemon and finally used by vCenter Single-Sign and VMDIR. Confused ?  

Let’s try to simplify it using an example wherein VMware CA is the Bank who has Issued the ATM CARD, VECS is your wallet where you are going to store ATM CARD and finally SSO is the ATM CARD Machine where you need to show your ATM card so as it can verify the authenticity of you as a Valid user and can issue you money.

Image Source -VMware Tech Pubs
Types of vSphere Certificates

1 ) ESXi Certificates are stored locally on ESXi hosts in the /etc/vmware/ssl directory, which are provisioned by VMware CA by default however we can also make use of custom certificates instead.

2 ) Machine SSL Certificates are used to create SSL socket on the server side to make the SSL client connect to the server, Machine SSL certificates are available for each of the node and are used to expose the SSL endpoints by each node (vCenter Server Instance, Platform Services Instances).Services which make use of Machine SSL certificates are Reverse proxy service (which then  redirect them to individual services), vpxd vCenter Service on each vCenter Node and VMDIR service.

3) Solution User Certificates are used to authenticate to vCenter Single-Sign on through SAML tokens, it does so by encapsulating one or more vCenter Server services.A solution user presents the certificate to vCenter Single Sign-On when authenticating for the first time, after a reboot, and after a timeout has elapsed. Solutions users are certificates stores and are part of VECS on each management node and embedded node deployment, vpxd uses this certificates to authenticate to Single Sign-On, vpxd-extensions (for example auto deploy) also get the solution users certificates, vsphere-webclient solution users certificates are also stored in VECS used by performance chart services and machine which is used by component manager, license server and the logging service.

* vCenter Single Sign-On Signing Certificate (), VMware Directory Service SSL Certificate and Virtual Machine Encryption certificates are not stored in VECS and referred as Internal Certificates.