In this article I will be explaining the need for SSL certificates in VMware vSphere products, going through the different setup types, and the required steps to apply/manage the certificates.

Why VMware vSphere needs SSL certificates?

SSL certificates are required to encrypt and secure the communications between the various VMware products, such as the communication between the vCenter server and the ESXi hosts, as well as the connection between the end-user and the vSphere client.

Main reference documentation

vSphere Authentication guide: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-vcenter-802-authentication-guide.pdf

vSPhere Security guide: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://docs.vmware.com/en/VMware-vSphere/7.0/vsphere-esxi-vcenter-server-703-security-guide.pdf

I’d strongly recommend watching my tutorial videos for more information and the implementation demo:

SSL Certificates Available Modes

The following list contains the available management modes for the certificates in a Sphere:

• VMCA | self-signed (default): this is the default mode for the built-in certificate authority of vCenter, VMCA (VMware Certificate Authority). The default mode out-of-the-box right after installing a vCenter server is that VMCA is enabled to mnage the certificates of the vCenter server, and any attached ESXi host. All of the certificates are issued by VMCA, which is a self-signed certificates mode.
• VMCA | intermediate CA: it’s possible to configure VCMA to act as an intermediate CA server in your enterprise PKI infrastructure. This mode is the most preferable mode in terms of the operational overhead, however, VMware (and maybe your company’s security policy) does not recommend this mode.
• Custom certificates: In this mode, you are required to manually issue the required certificates for each vSphere component (vCenter serer(s) and ESXi hosts) via your PKI infrastructure or 3rd-party CA. This is considered the most secure way, but implies a lot of operational overhead.
• Hybrid-mode: this is a mix of a MACHINE SSL CERTIFICATE signed by an external CA fot the vCenter server’s web interface, and the VMCA will continue to issue self-signed certificates for ESXi hosts and solution-users. This mode is more preferable for large environments.

How to manage the SSL Certificates?

• vSphere client.
• vCenter Certificate Manager Utility (vCenter CLI utility).
• CLI and APIs.
• ESXi SSH shell for ESXi hosts

In this article I will be covering the CUSTOM mode, and the needed steps to enable it for a vCenter server and the linked ESXi hosts.

Custom mode | step-by-step

In this tutorial I will be configuring the custom SSL certificates mode for my vSphere environment in the lab leviraging Microsoft CA PKI. For other PKI environments, please research the needed steps.

1- create a certificate template. Refer to the required parameters in this link: https://kb.vmware.com/s/article/2112009

2- Replacing the vCenter Machine SSL certificate. Via the vCenter web interface (vSphere web client) head to the certificates section under the Administration.

3- edit the MACHINE SSL CERTIFICATE to generate a CSR.

4- head to your Microsoft CA server to issue the required certificate using the dedicated cert template. Use the following command in a CMD terminal.

5- command: certreq -submit -attrib “CertificateTemplate:TEMPLATENAME”  myrequest_sign.req myrequest_cert.cer

6- convert the CER certificate to CRT format if required. (using OpenSSL)

6- Export root CA cert: certutil -ca.cert ca_name.cer

7- Import in vCenter interface.

8- Check the certificate now in the web browser.

Replace the ESXi SSL certificate with a custom one.

Reference guide: https://kb.vmware.com/s/article/2113926

1- Change the certificate mode in vCenter advanced settings >> “vpxd.certmgmt.mode” to “custom”. Ref: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-122A4236-9696-4E1F-B9E8-738855946A93.html

2- Enter the host to maintenance mode, and then disconnect from vCenter,

3- Generating CSR and cert for ESXi

• Prepare a OpenSSL config file: https://kb.vmware.com/s/article/2015387
• Generate CSR: openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config openssl.cfg
• Generate certificate, same command for vCenter.

4- Convert the certificate to PEM format: Command: openssl x509 -inform PEM -in FiddlerRoot.cer -out FiddlerRoot.crt

5- Convert the key to RSA:  openssl rsa -in rui-orig.key -out rui.key

6- Install the cert and key, follow steps: https://kb.vmware.com/s/article/2113926

Path: /etc/vmware/ssl/

7- Restart management agents services:

Command: /etc/init.d/hostd restart

Command: /etc/init.d/vpxa restart

8- Check the web interface of the host

9- Reconnect and exit maintenance mode

I hope this has been informative and thank you for reading!