In this blog will be focussing on how vSphere Manages Certificates using VMware Certificate Authority (VMCA) and also talk about different type of certificate managed by VMCA including CA certificates, Solutions Users Certificates and Machine Certificates (SSL). But before we go ahead with VMCA let’s talk about certificates in general and discuss about certificates authority.
Public key or Digital Certificates are electronic documents which are digitally signed by a trusted certificate source for example Certificate Authority, a certificate can be signed by a CA or it can also be self signed however other parties are not likely to trust certificates as these signing certificates that are used are not embedded in their system, we can make use of self signed certificates for internal use by adding the public key to all the internal systems so as they can trust the Self - Signed certificates.
Certificate Authority plays an important role in Public Key Infrastructure systems (PKI) where a SSL or TLS client connects to a server and the server sends it Public Key to the Client to Authenticate the server, the exchange of Public Key is not done through Plain text however X.509 certificate (Server Name and Public Key) is sent to the client. Client trusts the CA because client already has the CA’s Public Key which was preinstalled (Safari, Firefox, IE) or manually installed by us.
In VMware vSphere 5.x and earlier versions each service listed on a defined port for example (vpxd 443,Apache Tomcat 8443, Inventory Service 10433, vCenter Single-Sign On 7444, vSphere Web Client 9443 and so on, required it’s own certificate because the authentication methodology was based on SSL thumbprint trust which has to be unique, Starting from vSphere 6.0 the individual service endpoints has been replaced by a reverse HTTP proxy which routes traffic to appropriate service based on the type of incoming request.
With VMware vSphere 6.0 VMware Certificate Authority provisions each ESXi hosts and each vCenter Server service with certificates that are signed by VMware CA by default and are stored in VMware Endpoint Certificate Store (VECS) implemented using VMware Authentication Framework Daemon and finally used by vCenter Single-Sign and VMDIR. Confused ?
Let’s try to simplify it using an example wherein VMware CA is the Bank who has Issued the ATM CARD, VECS is your wallet where you are going to store ATM CARD and finally SSO is the ATM CARD Machine where you need to show your ATM card so as it can verify the authenticity of you as a Valid user and can issue you money.
Public key or Digital Certificates are electronic documents which are digitally signed by a trusted certificate source for example Certificate Authority, a certificate can be signed by a CA or it can also be self signed however other parties are not likely to trust certificates as these signing certificates that are used are not embedded in their system, we can make use of self signed certificates for internal use by adding the public key to all the internal systems so as they can trust the Self - Signed certificates.
Certificate Authority plays an important role in Public Key Infrastructure systems (PKI) where a SSL or TLS client connects to a server and the server sends it Public Key to the Client to Authenticate the server, the exchange of Public Key is not done through Plain text however X.509 certificate (Server Name and Public Key) is sent to the client. Client trusts the CA because client already has the CA’s Public Key which was preinstalled (Safari, Firefox, IE) or manually installed by us.
In VMware vSphere 5.x and earlier versions each service listed on a defined port for example (vpxd 443,Apache Tomcat 8443, Inventory Service 10433, vCenter Single-Sign On 7444, vSphere Web Client 9443 and so on, required it’s own certificate because the authentication methodology was based on SSL thumbprint trust which has to be unique, Starting from vSphere 6.0 the individual service endpoints has been replaced by a reverse HTTP proxy which routes traffic to appropriate service based on the type of incoming request.
With VMware vSphere 6.0 VMware Certificate Authority provisions each ESXi hosts and each vCenter Server service with certificates that are signed by VMware CA by default and are stored in VMware Endpoint Certificate Store (VECS) implemented using VMware Authentication Framework Daemon and finally used by vCenter Single-Sign and VMDIR. Confused ?
Let’s try to simplify it using an example wherein VMware CA is the Bank who has Issued the ATM CARD, VECS is your wallet where you are going to store ATM CARD and finally SSO is the ATM CARD Machine where you need to show your ATM card so as it can verify the authenticity of you as a Valid user and can issue you money.