As I work closely with VMware Support, it’s clear that issues and confusion around vSphere 6.x certificates are still very much a pain-point for customers.
I’ve spoken a bit about this topic in the past (but have been meaning to get back to it). You can see my previous posts below: (Note: even though they say 6.0 they are applicable for 6.5 too)
- Caution: Solution User Certificates in vSphere 6.0
- vSphere 6.x SSL Trust Anchors
- vSphere 6.0 Certificate Series
What I want to achieve by this post is to hopefully dispel some of the confusion. First, repeat the title of this post to yourself – “Just because you can, doesn’t mean you should.”
Just because you can replace any and all certificates in a vSphere environment, doesn’t mean necessarily should.
The only question you need to be able to answer is – “What problem am I trying to solve?”
tl;dr
Long story short, for the majority of use cases, replacing the Machine SSL certificate on each vCenter / PSC should be sufficient. Keep reading for more information.
I’m going to focus on three potential answers to that question.
1. I want to get rid of the annoying browser warning when I access the Web Client
2. Management Interfaces (i.e. Web Client) must run with trusted CA signed certificates.
3. Company Policy mandates that all certificates must be replaced with trusted CA signed certificates.
In my experience, the vast majority of vSphere customers fall into category 1 or 2.
Before we delve into all that, lets run through all the certificates present on a vCenter 6.x system and what they are used for.
Diagrams
Embedded PSC
In this first diagram we illustrate the certificates for a vCenter Server with Embedded PSC
External PSC
In this diagram we illustrate the certificates when using an external PSC. You can extrapolate for larger environments as more PSCs and vCenter’s are added.
Machine SSL Certificate
This the main certificate and the only one you should care about if you answered 1 or 2 to the question above.
It is presented from the server on port 443 via the reverse proxy service and it is what you hit when you access the vSphere Web Client, the HTML5 Web Client (6.5), the PSC UI, the VAMI, use the C# Client (6.0), or use PowerCLI to connect to vCenter.
It is the only user-exposed certificate. If all you care about is not seeing any “untrusted certificate” warnings from any of your interfaces, then this and only this is the certificate you need to change on your Embedded vCenter, External PSC or vCenter machines.
Solution User Certificates
There are four solution user types and you can check the link above for more detail on Solution User certificates.
vCenter and PSC services need to be able to communicate with the VMware Directory Service within an SSO Domain . You have your admin user administrator@vsphere.local and that has a user-defined password.
There are also the solution users, for example, vpxd-machine-uuid@vsphere.local but they don’t have a traditional password. So for these users to log into VMdir, they use certificate based authentication. These certificates are not user-exposed. You should never hit them in your Browser.
VMCA
The VMCA certificate is just that, a CA (certificate authority). It is capable of generating and signing new certificates. It is what issues all the certificates we talk about on a new installation of vSphere 6.x
Trusted Roots
Stores all Issuer Certificates (Root CAs and Intermediate CAs) that have issued Machine SSL Certificates and Solution User Certificates. If running custom certificates, then whatever CA issued those certificates needs to be present here.
Lookupservice Certificate
In 6.5 this certificate is automatically always the same as the Machine SSL so for 6.5 it’s non-issue and you don’t need to worry. In 6.0 this is it’s own certificate and can be seen if you point your browser to the lookupservice address, but only if you specify port 7444 (https://fqdn:7444/lookupservice/sdk).
Unless you have some older vCenters running 5.5 or older versions of NSX and vSphere Replication, you shouldn’t have any products accessing the lookupservice directly on port 7444. All products should be using port 443 to access the lookupservice and as a result they will receive the Machine SSL via the reverse proxy service.
https://kb.vmware.com/kb/2118939
VMDir Certificate
The VMdir certificate is used between PSCs for replication and also between VCs and a PSC, primarily during install when the VC (vmafd service) is registering with the PSC in VMdir.
Like the Solution User certificates, it’s not something that is user-exposed. The only requirement to change this certificate comes when enabling PSC HA and the latest scripts for both 6.0 and 6.5 to enable PSC HA take care of that.
Replace the VMware Directory Service Certificate – VMware Docs
STS Certificate
The Secure Token Signing certificate is almost self-explanatory. When we, a client, (or any solution) logs into an SSO Domain the client is given a session token and that token has been generated and signed by the STS certificate. Again, this is not a user-exposed certificate. Messing with this certificate can result in you getting locked out of your vSphere Environment. I do not advise even attempting to replace this certificate.
What do I need to do?
Back to our question – “What problem am I trying to solve?” and our potential answers
1. I want to get rid of the annoying browser warning when I access the Web Client
2. Management Interfaces (i.e. Web Client) must run with trusted CA signed certificates.
3. Company Policy mandates that all certificates must be replaced with trusted CA signed certificates.
I hope with the explanation about what certificate is used for what purpose, things are clearer as to what options you need to take to satisfy the problem you’re trying to solve.
To solve #1 you don’t even need to replace anything. You can download the VMCA Root certificate and install it in your local machine (or push via Group Policy) and voila, no more annoying “untrusted certificate” warnings. See KB2108294 for more.
If that isn’t enough and you must use a certificate from a trusted CA (either internal CA or commercial CA) and satisfy #2, then you just replace the Machine SSL Certificate(s). Leave the solution users, etc, alone.
Unless it’s absolutely necessary, you shouldn’t bother going to all the pain and effort in replacing any more certificates in the vSphere Environment. If you do, and fall into #3, my advice to you is – do it in a throwaway test VCSA first.
The elephant in the room might be “what about VMCA as a Subordinate?”. This option isn’t recommended by VMware going forward and you can read up on that in a blogpost by vSphere Senior Technical Marketing Guru Adam Eckerle here or by Security Senior Technical Marketing Guru Mike Foley here
I echo what both gents state in their respective blog posts and advocate that only the Machine SSL certificate be replaced unless it is absolutely necessary to replace more certificates.
have you tried reinstalling? 
Thank you, Féidhlim! The best explanation about vCenter / PSC certificates so far.
LikeLiked by 1 person
One of my favorite VMware blogs 🙂 Always full of useful knowledge.
LikeLiked by 1 person
Amazing post! You saved my life before it was even in danger!
LikeLiked by 1 person
Thanks Steve
LikeLike
Finally some useful information thanks
LikeLike
Awesome explanation. Was searching for this kinda info relating to Certs in vCSA.
LikeLiked by 1 person
I can’t post on the actual topic but I wanted to say your article regarding vSphere 6.x trust anchors was a lifesaver! Many thanks for taking those complex VMWare kB articles and simplifying them in an easy to follow blog. It completely resolved my vSphere replication issues after our machine certs expired and I had to renew them. The certificate manager on our DR vcenter server screwed up, while it worked fine in production.
LikeLiked by 1 person
#2, then you just replace the Machine SSL Certificate(s). Leave the solution users, etc, alone. —– and add trusted root CA certificate? isnt it? you forget mention that? or it is not need to do that?
LikeLike
Perfect – just what I was looking for; clear and concise.
LikeLike
I have installed the root certificates and even tried pushing them out via GPO, but i cannot get rid of the untrusted certificate error. this is also preventing me from deploying any ova templates.
Any suggestions?
LikeLike
Hi, are you sure about the Lookupservice certificate? I have such certificate from the upgrade from 5.5 to 6.5 and it is about to expire in 3 days. We have just VCSA 6.5 now, no 5.5 vCenters… Are we going to be affected when it expires? Is it safe to ignore it?
Thanks in advance for your reply! 🙂
LikeLike
Thanks Féidhlim, great to have it explained in real life terms.
LikeLike
You should also consider the SSL certificate used by the VAMI interface on port 5480 for appliance based PSCs or vCenters.
LikeLike
Hi Stuart, this certificate should be the same as the MACHINE_SSL_CERT presented on port 443.
LikeLike