With security and compliance on the minds of IT staff everywhere, vSphere certificate management is a huge topic. Decisions made can seriously affect the effort it takes to support a vSphere deployment, and often create vigorous discussions between CISO and information security staff, virtualization admins, and enterprise PKI/certificate authority admins. Here are ten things that organizations should consider when choosing a path forward.
1. Certificates are about encryption and trust
Certificates are based on public key cryptography, a technique developed by mathematicians in the 1970s, both in the USA and Britain. These techniques allow someone to create two mathematical “keys,” public and private. You can share the public key with another person, who can then use it to encrypt a message that can only be read by the person with the private key.
When we think about certificates we often think of the little padlock icon in our browser, next to the URL. Green and locked means safe, and red with an ‘X’ and a big “your connection is not private” warning means we’re not safe, right? Unfortunately, it’s a lot more complicated than that. A lot of things need to be true for that icon to turn green.
When we’re using HTTPS the communications between our web browser and a server are sent across a connection protected with Transport Layer Security (TLS). TLS is the successor to Secure Sockets Layer, or SSL, but we often refer to them interchangeably. TLS has four versions now:
- Version 1.0 has vulnerabilities, is insecure, and shouldn’t be used anymore.
- Version 1.1 doesn’t have the vulnerabilities as 1.0 but it uses MD5 and SHA-1 algorithms which are both insecure.
- Version 1.2 adds AES cryptographic ciphers that are faster, removes some insecure ciphers, and switches to SHA-256. It is the current standard.
- Version 1.3 removes weak ciphers and adds features that increase the speed of connections. It is the upcoming standard.
Using TLS means that your connection is encrypted, even if the certificates are self-signed and generate warnings. Signing a certificate means that someone vouches for that certificate, in much the same way as a trusted friend would introduce someone new to you. A self-signed certificate simply means that it’s vouching for itself, not unlike a random person on the street approaching you and telling you that they are trustworthy. Are they? Maybe, but maybe not. You don’t know without additional information.
To get the green lock icon you need to trust the certificate by trusting who signed it. This is where a Certificate Authority (CA) comes in. Certificate Authorities are usually specially selected and subject to rigorous security protocols, because they’re trusted implicitly by web browsers. Having a CA sign a certificate means you inherit the trust from the CA. The browser lock turns green and everything seems secure.
Having a third-party CA sign certificates can be expensive and time-consuming, especially if you need a lot of them (and nowadays you do). As a result, many enterprises create their own CAs, often using the Microsoft Active Directory Certificate Services, and teach their web browsers and computers to trust certificates signed by that CA by importing the “root CA certificates” into the operating systems.
2. vSphere uses certificates extensively
All communications inside vSphere are protected with TLS. These are mainly:
- ESXi certificates, issued to the management interfaces on all the hosts.
- “Machine” SSL certificates used to protect the human-facing components, like the web-based vSphere Client and the SSO login pages on the Platform Service Controllers (PSCs).
- “Solution” user certificates used to protect the communications of other products, like vRealize Operations Manager, vSphere Replication, and so on.
The vSphere documentation has a full list. The important point here is that in a fully-deployed cluster the number of certificates can easily reach into the hundreds.
3. vSphere has a built-in certificate authority
Managing hundreds of certificates can be quite a daunting task, so VMware created the VMware Certificate Authority (VMCA). It is a supported and trusted component of vSphere that runs on a PSC or on the vCenter VCSA in embedded mode. Its job is to automate the management of certificates that are used inside a vSphere deployment. For example, when a new host is attached to vCenter it asks you to verify the thumbprint of the host ESXi certificate, and once you confirm it’s correct the VMCA will automatically replace the certificates with ones issued by the VMCA itself. A similar thing happens when additional software, like vRealize Operations Manager or VMware AppDefense is installed.
The VMCA is part of the vCenter infrastructure and is trusted in the same way vCenter is. It’s patched when you patch your PSCs and VCSAs. It is sometimes criticized as not being a full-fledged CA but it is just-enough-CA, purpose-built to serve a vSphere deployment securely, safely, and in an automated way to make it easy to be secure.
4. There are four main ways to manage certificates
- First, you can just use a self-signed CA certificate. The VMCA is fully-functional once vCenter is installed and automatically creates root certificates to use for signing ESXi, machine, and solution certificates. You can download the root certificates from the main vCenter web page and import them into your operating systems to establish trust and turn the browser lock icon green for both vCenter and ESXi. This is the easiest solution but it requires you to accept a self-signed CA root certificate. Remember, though, that we trust vCenter, so we trust the VMCA.
- Second, you can make the VMCA an intermediate, or subordinate, CA. We do not recommend this (see below).
- Third, you can disable the VMCA and use custom certificates for everything. To do this you can ask the certificate-manager tool to generate Certificate Signing Requests (CSRs) for everything. You take those to a third-party CA, have them signed, and then install them all manually. This is time-consuming and error-prone.
- Fourth, you can use “hybrid” mode to replace the machine certificates (the human-facing certificates for vCenter) with custom certificates, and let the VMCA manage everything else with its self-signed CA root certificates. All users of vCenter would then see valid, trusted certificates. If the virtualization infrastructure admin team desires they can import the CA root certificates to just their workstations and then they’ll have green lock icons for ESXi, too, as well as warnings if there is an untrusted certificate. This is the recommended solution for nearly all customers because it balances the desire for vCenter security with the realities of automation and management.
5. Enterprise CAs are self-signed, too
“But wait,” you might be thinking, “we are trying to get rid of self-signed certificates, and you’re advocating their use.” True, but think about it this way: enterprise CAs are self-signed, too, and you have decided to trust them. Now you simply have two CAs, and while that might seem like a problem it really means that a separation exists between the operators of the enterprise CA and the virtualization admin team, for security, organizational politics, staff workload management, and even troubleshooting. Because we trust vCenter, as the core of our virtualization management, we also implicitly trust the VMCA.
6. Don’t create an intermediate CA
You can create an intermediate CA, also known as a subordinate CA, by issuing the VMCA a root CA certificate capable of signing certificates on behalf of the enterprise CA and using the Certificate Manager to import it. While this has applications, it is generally regarded as unsafe because anybody with access to that CA root key pair can now issue certificates as the enterprise CA. We recommend maintaining the security & trust separation between the enterprise CA and the VMCA and not using the intermediate CA functionality.
7. You can change the information on the self-signed CA root certificate
Using the Certificate Manager utility you can generate new VMCA root CA certificates with your own organizational information in them, and the tool will automate the reissue and replacement of all the certificates. This is a popular option with the Hybrid mode, as it makes the self-signed certificates customized and easy to identify. You can also change the expiration dates if you dislike the defaults.
8. Test, test, test!
The only way to truly be comfortable with these types of changes is to test them first. The best way to test is with a nested vSphere environment, where you install a test VCSA as well as ESXi inside a VM. This is an incredible way to test vSphere, especially if you shut it down and take a snapshot of it. Then, no matter what you do, you can restore the test environment to a known good state. See the links at the end for more information on nested ESXi.
Another interesting option is using the VMware Hands-on Labs to experiment with this. Not only are the labs a great way to learn about VMware products year-round, they’re also great for trying unscripted things out in a low-risk way. Try the new vSphere 6.7 Lightning Lab!
9. Make backups
When the time comes to do this for real make sure you have a good file-based backup of your vCenter and PSCs using the VAMI interface. Additionally, the Certificate Manager utility backs up the old certificates, so you can restore them if needed (only one set, though, so think that through). This way you can restore them if things go wrong. If things do not go as planned or tested know that these operations are fully supported by VMware Global Support Services, who can walk you through resolving any problem you might encounter.
10. Know why you’re doing this
In the end the choice of how you manage vSphere certificates depends on what your goals are.
- Do you want that green lock icon?
- Does everybody need the green lock icon for ESXi, or just the virtualization admin team?
- Do you want to get rid of self-signed certificates, or are you more interested in establishing trust?
- Why do you trust vCenter as the core of your infrastructure but not a subcomponent of vCenter?
- What is the difference in trust between the enterprise self-signed CA root and the VMCA self-signed CA root?
- Is this about compliance, and does the compliance framework truly require custom CA certificates?
- What is the cost, in staff time and opportunity cost, of ignoring the automated certificate solution in favor of manual replacements?
- Does the solution decrease or increase risk, and why?
Whatever you decide know that thousands of organizations across the world have asked the same questions, and out of the discussions have come good understandings of certificates & trust as well as better relations between security and virtualization admin teams. It always helps to have more information. Good luck!
Additional Resources & Notes:
- While we’re not trying to pressure anybody, Hybrid Mode is by far the most popular choice for certificate management, including some very security-conscious organizations. We have a walkthrough that shows every step in the process of enabling it.
- Adam Eckerle has a blog post on hybrid mode. While the post is older the logic in it continues to be true and he goes deep on what you’re signing up for if you choose manual management.
- You can download the VMCA root CA certificates from the main vCenter web page. In vSphere 6.7 the link is in the lower right.
- Wildcard certificates are not supported. It makes sense, since we use certificate thumbprints to identify different components and a wildcard certificate would give everything the same thumbprint.
- The VMware vSphere documentation is an excellent resource for certificate information.
- William Lam has a lot of good nested ESXi resources on his blog. Keep in mind that nested ESXi is not officially supported by VMware but it still makes a great testbed for functional changes like this.
- Wondering about the non-repudiation options when issuing enterprise CA certificates from Active Directory Certificate Services? They’re trust options and Microsoft has a nice writeup on their meaning and importance.
- The EFF has an excellent post on how public key encryption systems work. It’s long but these are complicated topics.
- When you’re replacing certificates it is useful to have multiple browsers installed to compare, and be prepared to clear your cache.
- VMware Labs has a fling, the SDDC Certificate Tool, that is handy for bulk replacements of certificates in an environment.
- VMware Cloud Foundation also takes care of certificates for you, as part of it’s automation of the whole vSphere lifecycle. Serious time saver and economical!
- Want to learn more about VMware products? The Hands-on Labs are available online, year-round, and there’s nothing saying you need to follow the lab manual all the time… 🙂
(Thanks to Mike Foley, Nigel Hickey, Kev Johnson, David Stamen, and Adam Eckerle in VMware vSphere Technical Marketing for all their previous & continued work on certificate management)