How Certificate Authority works in VMware vCenter

Keywords: Vmware SSL

VMware vSphere vCenter Server Appliance (VCSA for short) contains a series of services of Platform Service Controller. VMware Certificate Authority (VMCA) is an indispensable part of it. The authentication service of vCenter Server core includes the following three components:

1) VMCA, VMware certificate management service

2)VMAFD,VMware Authentication Framework Daemon

3) VMDIR, VMware Directory Service, directory service

1,VMCA

The command line tools of the electronic certificate service provided by VMCA for VMware products in VMware environment are stored on vCenter Server, as follows:

#/usr/lib/vmware-vmca/certificate-manager 

//After running the above command line, the following appears:
		 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
		|                                                                     |
		|      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
		|                                                                     |
		|                   -- Select Operation --                            |
		|                                                                     |
		|      1. Replace Machine SSL certificate with Custom Certificate     |
		|                                                                     |
		|      2. Replace VMCA Root certificate with Custom Signing           |
		|         Certificate and replace all Certificates                    |
		|                                                                     |
		|      3. Replace Machine SSL certificate with VMCA Certificate       |
		|                                                                     |
		|      4. Regenerate a new VMCA Root Certificate and                  |
		|         replace all certificates                                    |
		|                                                                     |
		|      5. Replace Solution user certificates with                     |
		|         Custom Certificate                                          |
		|                                                                     |
		|      6. Replace Solution user certificates with VMCA certificates   |
		|                                                                     |
		|      7. Revert last performed operation by re-publishing old        |
		|         certificates                                                |
		|                                                                     |
		|      8. Reset all Certificates                                      |
		|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.

VMCA issues certificates for the following users:

1) system users

2) ESXi host

3) servers running related services

That is, only clients in the same domain who want to log in using SSO (single sign on) will be issued certificates.

2,VMAFD

/usr/lib/vmware-vmadir-cli, certool, and vecs-cl

3,VMDIR

dir-cli, certool, and vecs-cl

Posted by eneyas on Tue, 05 Nov 2019 13:41:53 -0800