Almost all vSphere components, like ESXi, vCenter Server, vSphere Update Manager make use of SSL certificates. However, the certificates installed during the installation process are signed by VMware and are not verifiable and are not signed by a trusted certificate authority (CA).
Also the vSphere Hardening Guide (for all components) recommends not using the default self-signed certificates for ESXi communication for all three profiles, because;
Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA, either commercial or organizational.
The vSphere Hardening Guides recommends the following assessment procedure and if you need to replace SSL certificates points to a useful KB.
Connect to each ESX/ESXi host with an internet browser,
https:// <hostname>/. View the details of the SSL certificate; determine if it is issued by a trusted CA, either commercial or organizational. To change SSL certificates refer to KB “Implementing CA signed SSL certificates with vSphere 5.x (2034833)”.
See figure 1, for a result.
The vSphere Hardening Guide points to the very useful KB 2034833, but it also becomes clear that it’s one of many KB s on implementing SSL certificates, and there are even more KB s not mentioned.
So, I was very curious how this would work out in a common vSphere Cluster.
Before you start, you have to determine the following:
- Version(s) of vSphere components (vCenter Server, ESXi, etc.) 5.0, 5.1, 5.5 or 6.x.
- vCenter Server (Windows) or the vCenter Server Appliance.
- Commercial CA or internal Windows CA.
Determine which versions of the vSphere components are running in your environment, the instructions for replacing certificates vary from version to version, see the already mentioned KB 2034833 or KB “Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)”.
Under the hood the traditional vCenter Server and the vCenter Server Appliance are very different products. So are the procedures for replacing the certificates.
Depending on the Company policy, you can replace the default certificates with certificates from a commercial CA or an organizational CA. Both procedures have some differences.
Time for a test
At this moment, my test environment (still running on default certificates) consists of the following components:
- ESXi servers 5.5
- vCenter Server Appliance 5.5
- vSphere Update Manager 5.5
- vRealize Orchestrator Appliance / vCenter Orchestrator Appliance 5.5
It is my intention to replace the default certificates with new certificates signed by my own organizational CA.
Before we start, it is also important to follow the correct order, especially in case of a Windows vCenter Server:
- vCenter Single Sign-On
- vCenter Inventory Service
- vCenter Server
- vSphere Web Client and Logbrowser
- vSphere Auto Deploy
- vSphere Update Manager
- vCenter Orchestrator Appliance
- ESXi hosts
The vCenter Server Appliance combines the first 5 components, but before we start replacing the vCenter Server Appliance certificates, we need to do some preparations.
BTW, the Knowledge Base Articles are – as usual – of good quality, it is not my intention to copy-and-paste each and every step, but to present an overview and highlight the important steps.
To make life a little bit easier, VMware has released the SSL Certificate Automation Tool, to automate some parts of the process below. However, I will start the “traditional” way, and will discuss this tool later.
This post is part in a series about vSphere hardening. See also:
As always, I thank you for reading and I welcome your comments.