vSphere uses certificates to:
- Encrypt communications between two nodes, such as vCenter Server and an ESXi host.
- Authenticate vSphere services.
- Perform internal actions such as signing tokens.
vSphere's internal certificate authority, VMware Certificate Authority (VMCA), provides all the certificates necessary for vCenter Server and ESXi. VMCA is installed on every Platform Services Controller, immediately securing the solution without any other modification. Keeping this default configuration provides the lowest operational overhead for certificate management. vSphere provides a mechanism to renew these certificates in the event they expire.
vSphere also provides a mechanism to replace certain certificates with your own certificates. However, it is advised to replace only the SSL certificate that provides encryption between nodes, to keep your certificate management overhead low.
Custom Certificate Integration
The vSphere environment is flexible to give the customers the opportunity to work with custom SSL certificates, as their company policies sometimes mandate that. The following steps walk you through changing certificates for various components in a VxRail environment.
- Replacing VxRail Manager's self-signed certificate
- This procedure is accessible on the SolVe online portal. Go to 'How To' Procedures > 'How To' Change other VxRail Cluster settings > Choose your current VxRail Manager version > Replace the VxRail Manager SSL Certificate, then generate the procedure. If you do not have access to that portal, contact Dell support. For guidance on creating the Certificate Signing Request and modifying the received cert files, see KB article VxRail: How to apply for a new certificate for VxRail Manager.
- Replacing vCenter Server certificates using a Custom Certificate Authority (CA) Signed Certificate
- Manually reestablishing trust between VxRail Manager and vCenter Server after custom certificate integration
- Replacing ESXi host SSL certificates
- Replacing vRealize Log Insight certificates
Note: Generating Certificate Signing Requests (CSRs) using third-party tools or signing them using the internal company's CA is not supported by Dell support.
If you face any issues during certificate replacement, reach out to Dell support for assistance.
Related Resources
Here are some recommended resources related to this topic that might be of interest: