ser2936be vsphere ssl certificates for mere mortals or … · 2019-06-27 · adam eckerle, @eck79...

Adam Eckerle, @eck79VCIX6-DCVSr. Technical Marketing Architect

SER2936BE

#VMworld #SER2936BE

vSphere SSL Certificates for Mere Mortals

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#SER2936BE CONFIDENTIAL 2



bution

3#SER2936BE CONFIDENTIAL



bution

Certificate Lifecycle Management

VMware Certificate Authority

VMCA

VMware Endpoint Certificate Store

VECS

Located on:Embedded Deployment and Platform Services Controller

Located on:Embedded Deployment andvCenter Server Node




bution

VECSVMCA

VMware Endpoint Certificate Store (VECS)

5

Signed

VMCACertificate

Machine SSLCertificate

#SER2936BE CONFIDENTIAL



bution

VMware Endpoint Certificate Store (VECS)

▪ Repository for Certificates and Private Keys

▪ Mandatory Component

▪ Key Stores:

– Machine SSL Certificates

– Trusted Roots

– Solution Users Certificates

▪ Generally managed via Certificate Manager

▪ vecs-cli available for more advanced operations or automation

▪ Does Not Manage Single Sign-On Certificates




bution

VMware vSphere 6.x Certificate Types

▪ Machine SSL Certificate

▪ ESXi Certificates

▪ Solution User Certificates

▪ Single Sign-On Certificates




bution

ESXi Certificates

▪ Post-install, ESXi always has an auto-generated certificate

▪ VMCA will provision a signed certificate when host is joined to vCenter (default mode)

▪ Custom certificates can be use if desired (custom mode)

▪ ESXi certificates are stored locally on each host in the /etc/vmware/ssl

▪ VMCA issued certificates can be renewed via the vSphere Client or PowerCLI




bution

ESXi Certificates

9

Example:

function refreshcerts {

process {

$hostid = Get-VMHost $vmhost | Get-View

$hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)

$hostParam[0] = New-Object VMware.Vim.ManagedObjectReference

$hostParam[0].value = $hostid.moref.value

$hostParam[0].type = 'HostSystem'

$_this = Get-View -Id 'CertificateManager-certificateManager'

$_this.CertMgrRefreshCertificates_Task($hostParam)

}

}




bution

Machine SSL Certificates

▪ Server verification and secure communicatione.g. HTTPS or LDAPS

▪ Each node has its own Machine SSL Certificate. i.e. Embedded Deployment; vCenter Server; or Platform Services Controller

▪ All services communicate through the reverse proxy

▪ Traffic does not go to the services themselvese.g. The vpxd service uses the MACHINE_SSL_CERT to expose its endpoint.




bution

Certificate Replacement Options for vCenter

11

VMCA Default

• VMCA provides the Root certificate

• All vSphere certificates chain to VMCA

• Regenerate certificates on demand easily

• Recommended

VMCA Enterprise

• Replace VMCA CA cert with a subordinate CA certificate from the Enterprise PKI

• Upon removal of the old VMCA CA certificate, all old certificates will be regenerated

Custom

• Disable VMCA as CA

• Provision custom certificates for each solution user and endpoint

• More complicated

• For highly security conscious customers only

Hybrid

• Replacement of the Machine_SSL certs

• VMCA for Hosts and Solution Users

• Very popular with high security customers

• Recommended




bution

VMware vSphere 6.x Certificate Manager

12

Appliance Deployment

/usr/lib/vmware-vmca/

bin/certificate-manager

Windows Deployment

<Drive>:\Program Files\VMware\

vCenter Server\vmcad\

certificate-manager




bution

Common Certificate Manager Use Cases

13

VMCAas Root CA

(Default or Option 4)

VMCA as Enterprise CA

Subordinate

(Option 2)

Custom CA

(Option 1 & 5)

Hybrid

(Option 1)




bution

Demo: VMCA as Root CA (Default)



bution

Full Custom (No VMCA)

▪ Essentially bypass VMCA

▪ Generate a CSR & Certificate for each:

▪ Machine SSL

▪ Solution User

▪ ESX Host

▪ Manual installation and renewal

▪ Most secure (highly regulated / secure environments)

▪ Most amount of work




bution

VMCA as Enterprise CA Subordinate

▪ Does NOT support wildcard cards or SubjectAltName

▪ You CANNOT create subsidiary CAs of VMCA

▪ No explicit limit to the length of the certificate chain

▪ Synchronize time for all nodes in environment

16



bution

Custom certificates for the Web Client

VMCA for everything else (User Solutions, ESX hosts)

Hybrid Approach Concepts

17

OperationsSecurity




bution

Hybrid Mode: 3rd Party Cert for Client access

18

What many security concerned companies are using for their vSphere environments

3rd Party Certificate Authority

DC1.lab.local

VCSA

vCenter Serverhttps://vcsa.lab.local

https://esxi-a.lab.local

SSL Certificate issued by DC1.lab.local Certificate Authority

SSL Certificate issued by vcsa.lab.local VMCA




bution

Implementing Hybrid Mode (High Level)

19

1. Use Option 1 to:• Replace Machine_SSL cert on all

PSCs in SSO Domain

• Replace Machine_SSL cert on all vCenter Servers in SSO domain

2. Use vSphere Client / PowerCLI to replace certs on ESX hosts




bution

Let’s Compare!



bution

Example Environment

21

• 6 vCenter Servers• 2 Sites• 50 Hosts per vCenter Server

• 300 Hosts total

Approach SubCAs Machine SSL

Solution Users

ESXiHosts

Total Certificates

Subordinate CA 4 0 0 0 4

Full Custom N/A 10 28 300 338

Hybrid N/A 10 0 0 10




bution

WalkthroughStep-by-step available at https://featurewalkthrough.vmware.com

Accompanying blog post at http://vmware.com/go/hybridvmca



bution

https://featurewalkthrough.vmware.com/

http://vmware.com/go/hybridvmca




bution

© 2017 VMware Inc. All rights reserved.

vSphere Centralvspherecentral.vmware.com

• Curated repository of vSphere resources including blogs, KBs, videos, and walkthroughs

• Simple to access and a single URL to remember

• Conveniently export resources to PDF for offline viewing



bution

© 2017 VMware Inc. All rights reserved.

vSphere 6.5 Topology & Upgrade Planning Toolvspherecentral.vmware.com/path-finder

• Guided walkthrough to assist in making critical topology and upgrade decisions

• Provides steps, diagram, and important resources for planning, execution, and post-upgrade



bution



bution

#migrate2vcsa | @eck79 | @emad_younishttp://blogs.vmware.com/vsphere



bution

ser2936be vsphere ssl certificates for mere mortals or … · 2019-06-27 · adam eckerle, @eck79...

Documents