Let's Virtualize is back

It’s been more than six months that I haven’t been blogging because of some personal issues, and now that things are finally back on track would be more actively blogging and talking about various enhancements being made in VMware’s SDDC, NVIDIA’s GRID, Business Continuity,Backup & Disaster Recovery and Cloud (AWS, GCP, Alibaba Cloud, Microsoft Azure).

Here is what you can expect.

New Back to Basic Series  - I have been dedicating many articles in this series talking about core features available in VMware vSphere to help you get started with Server Virtualization journey, in case you missed it here is the link to refer. Back to Basics Part 7

So what’s new about this back to basic series ? Well In order to make this Back to Basic Series New would also be introducing some core features from other tracks including Desktop Virtualization (VMware Horizon), Network Virtualization (NSX) and Storage Virtualization (VSAN).

10 Things to remember Series - Another series which gives us a quick summary about particular product/feature, if you haven’t checked the articles already here are some links to refer.  VMware vRealize Operations Manager -10 Things You Need to Know

New Home Lab-  One of the most important series for someone who’s looking for an end to end installation of various VMware products and the configuration options available during the installation, to make this series more interesting and to show as many as installation as possible would be working closely with some of my techie friends and run some demonstrations on their Home Lab hardware ensuring that we get the maximum benefit out of this series.

A new series focussing on the various features available in Amazon Web Services, Google Cloud Platform, Microsoft Azure and Ali baba Cloud.

NVIDIA GRID vGPU- This series will talk about the various features and functionalities available with NVIDIA Grid vGPU with a focus on the various ways we can add GPU’s in our Virtualized Environment.

Business Continuity and Disaster Recovery - With a focus on some of the backup and disaster recovery products available and what are their core features and functionalities.

VMware vSphere Certificate Management

In this blog will be focussing on how vSphere Manages Certificates using VMware Certificate Authority (VMCA) and also talk about different type of certificate managed by VMCA including CA certificates, Solutions Users Certificates and Machine Certificates (SSL). But before we go ahead with VMCA let’s talk about certificates in general and discuss about certificates authority.

Public key or Digital Certificates are electronic documents which are digitally signed by a trusted certificate source for example Certificate Authority, a certificate can be signed by a CA or it can also be self signed however other parties are not likely to trust certificates as these signing certificates that are used are not embedded in their system, we can make use of self signed certificates for internal use by adding the public key to all the internal systems so as they can trust the Self - Signed certificates.

Certificate Authority plays an important role in Public Key Infrastructure systems (PKI) where a SSL or TLS client connects to a server and the server sends it Public Key to the Client to Authenticate the server, the exchange of Public Key is not done through Plain text however X.509 certificate (Server Name and Public Key) is sent to the client. Client trusts the CA because client already has the CA’s Public Key which was preinstalled (Safari, Firefox, IE) or manually installed by us.

In VMware vSphere 5.x and earlier versions each service listed on a defined port for example (vpxd 443,Apache Tomcat 8443, Inventory Service 10433, vCenter Single-Sign On 7444, vSphere Web Client 9443 and so on, required it’s own certificate because the authentication methodology was based on SSL thumbprint trust which has to be unique, Starting from vSphere 6.0 the individual service endpoints has been replaced by a reverse HTTP proxy which routes traffic to appropriate service based on the type of incoming request.

With VMware vSphere 6.0 VMware Certificate Authority provisions each ESXi hosts and each vCenter Server service with certificates that are signed by VMware CA by default and are stored in VMware Endpoint Certificate Store (VECS) implemented using VMware Authentication Framework Daemon and finally used by vCenter Single-Sign and VMDIR. Confused ?  

Let’s try to simplify it using an example wherein VMware CA is the Bank who has Issued the ATM CARD, VECS is your wallet where you are going to store ATM CARD and finally SSO is the ATM CARD Machine where you need to show your ATM card so as it can verify the authenticity of you as a Valid user and can issue you money.

Image Source -VMware Tech Pubs

Types of vSphere Certificates

1 ) ESXi Certificates are stored locally on ESXi hosts in the /etc/vmware/ssl directory, which are provisioned by VMware CA by default however we can also make use of custom certificates instead.

2 ) Machine SSL Certificates are used to create SSL socket on the server side to make the SSL client connect to the server, Machine SSL certificates are available for each of the node and are used to expose the SSL endpoints by each node (vCenter Server Instance, Platform Services Instances).Services which make use of Machine SSL certificates are Reverse proxy service (which then  redirect them to individual services), vpxd vCenter Service on each vCenter Node and VMDIR service.

3) Solution User Certificates are used to authenticate to vCenter Single-Sign on through SAML tokens, it does so by encapsulating one or more vCenter Server services.A solution user presents the certificate to vCenter Single Sign-On when authenticating for the first time, after a reboot, and after a timeout has elapsed. Solutions users are certificates stores and are part of VECS on each management node and embedded node deployment, vpxd uses this certificates to authenticate to Single Sign-On, vpxd-extensions (for example auto deploy) also get the solution users certificates, vsphere-webclient solution users certificates are also stored in VECS used by performance chart services and machine which is used by component manager, license server and the logging service.

* vCenter Single Sign-On Signing Certificate (), VMware Directory Service SSL Certificate and Virtual Machine Encryption certificates are not stored in VECS and referred as Internal Certificates.