vCenter

 View Only
  • 1.  Custom certificate vs VMware issued certificates

    Posted Apr 26, 2021 06:06 AM

    Hi,

     

    We are currently redesigning our internal vCenter servers, and we would therefor also be installing certificates on the vCenter, in order to bypass the browser certificate warning.

     

    Over the past few years, we have had massive issues with using our own certificates, issued by our internal CA. Some have been due to human errors, but we have also been facing several bugs along the way, that have been fixed later on with an hotfix from VMware.

    Our environment have several "external products" connecting (Veeam, SCOM, etc), that relies heavily on the certificate presented.

     

    Im therefor considering rolling out the vCenters own CA, to our clients / servers, that manages and connects to VMware - hoping that we would see less certificate issues in the future. 

    How to download and install vCenter Server root certificates to avoid Web Browser certificate warnings (2108294) (vmware.com)

     

    So what is the best practice, and what option would you recommend using (VMware built-in CA vs our own CA), based on your knowledge?

     

    Thanks in advance  



  • 2.  RE: Custom certificate vs VMware issued certificates

    Broadcom Employee
    Posted Apr 26, 2021 01:13 PM

    VMware certs are quite secure with sha256 and 2048 bits . With VMCA certs in use ; u can use https://kb.vmware.com/s/article/2108294 to avoid that warning.

    If only this warning is concerning ; then just replace machine ssl certs with custom CA https://kb.vmware.com/s/article/2112277



  • 3.  RE: Custom certificate vs VMware issued certificates

    Posted Apr 28, 2021 12:05 PM

    Hi,

     

    Thanks for the message.

    Im aware that both options are usable, but i wanted to know from real life scenarioes, what the best option is.

    But it sounds like using our Windows CA infrastructure, is the best way to go from here.



  • 4.  RE: Custom certificate vs VMware issued certificates

    Posted May 05, 2021 07:43 AM

    Hi, it is difficult to say what's the best option...

    If you use custom certificates with your CA as root CA, they will be trusted within your environment. You may need to re-establish trust between your vSphere/vRealize products, and you will no more receive SSL warnings in your browser.

    Also, some companies demand that all self-signed certificates need to be replaced for extended security. I would recommend you to use custom certificates instead of self-signed.