TLS certificates – sometimes still called by the deprecated protocol name, “SSL” certificates – are one of the key elements that enable secure HTTPS communication across a network. When administrators authenticate a connection to VCF management interfaces, this encryption ensures that their passwords cannot be intercepted.
But there’s a catch: The encryption is only trustworthy if the certificates are signed by a known authority. Otherwise, there would be no way to prevent a malicious site from masquerading as an intended destination. This is the reason why web browsers will display a very disruptive security warning when a “self-signed” certificate is encountered. It’s a very bad security practice if administrators are in the habit of dismissing these warnings, especially when connecting to production infrastructure.
Certificates include an embedded expiration date, which is often set years into the future. For that reason, it’s not always easy for the IT department to keep a handle on upcoming expirations, so they sometimes catch us off guard. Wouldn’t it be great if we could just automatically renew certificates when the expiration date approaches?
VCF 9 includes a new certificate auto-renewal feature to help private cloud administrators avoid this issue in the future.
How to Enable Certificate Auto Renewal
Certificate auto-renewal is enabled by a switch in the VCF Operations UI, so it’s very quick and easy to implement.
Certificates for Management, Infrastructure, and Hosts are Supported
Auto-renewal supports certificates on any of the management elements in VCF 9, including ESX hosts, infrastructure management appliances, and management components.
Certificate Authority (CA) Support for Auto Renewal
VCF 9 supports Microsoft Active Directory Certificate Services, so you can issue signed certs for all of the management components, like Operations and Automation, as well as infrastructure management appliances – vCenter Server, NSX Manager, and SDDC Manager. Certificates issues by a Microsoft CA will be automatically renewed.
For environments that do not wish to integrate with a Microsoft CA, there are still supported scenarios where certificates can be automatically renewed.
- The new Fleet Management appliance, which is responsible for deployment and updating of the VCF 9 management components, also acts as a certificate authority for those components. If left unchanged, the components will continue to use this CA and can receive new certificates before expiration thanks to auto-renew.
- vCenter Server also incorporates an embedded certificate authority, known as VMCA, for the infrastructure components and VMware ESX hosts to use. These certificates will also be automatically renewed.
- Finally, you can opt to use the embedded OpenSSL CA that is part of SDDC Manager to issue certificates for infrastructure components, but not management components. This CA supports auto-renew.
Note that if you decide to use any of the included VMware certificate authorities, then you will need to take steps to add the applicable CA certs to your individual administrator systems, and indicate to your operating system that they should be trusted, in order to avoid browser security warning messages. See this KB article for more information.
Non-Disruptive Certificate Replacement Technology
Replacing the HTTPS certificate is a process that can impact availability of the management web interfaces as various dependent tasks are performed, services restart, and so on. While the workloads running on vSphere are never affected, this does sometimes require a maintenance window for the management UI or API access.
Now in VCF 9, a new and improved workflow has been implemented for key management components like vCenter Server. Thanks to the new Non-Disruptive Certificate Replacement, impact to the management interfaces is greatly reduced.
VCF Operations Alerts to Complement Auto Renewal
Once certificate auto-renew is enabled, administrators no longer need to worry about expired certs affecting their private cloud. To go one step further, there is also a new integration with VCF Operations alerts. This allows you to keep tabs on upcoming expirations to ensure everything is operating smoothly.
Takeaways
Certificate management is an unglamorous chore that is essential to proper functioning of a private cloud. In VCF 9, the task gets a lot easier with auto-renew, Non-Disruptive Replacements, and Operations alerts.
***
Ready to get hands-on with VMware Cloud Foundation 9.0? Dive into the newest features in a live environment with Hands-on Labs that cover platform fundamentals, automation workflows, operational best practices, and the latest vSphere functionality for VCF 9.0.
