As I work closely with VMware Support, it’s clear that issues and confusion around vSphere 6.x certificates are still very much a pain-point for customers.
I’ve spoken a bit about this topic in the past (but have been meaning to get back to it). You can see my previous posts below: (Note: even though they say 6.0 they are applicable for 6.5 too)
What I want to achieve by this post is to hopefully dispel some of the confusion. First, repeat the title of this post to yourself – “Just because you can, doesn’t mean you should.”
Just because you can replace any and all certificates in a vSphere environment, doesn’t mean necessarily should.
The only question you need to be able to answer is – “What problem am I trying to solve?”
Long story short, for the majority of use cases, replacing the Machine SSL certificate on each vCenter / PSC should be sufficient. Keep reading for more information.
Continue reading “vSphere 6.x Certificates – Just because you can, doesn’t mean you should.”
In vSphere 6.x all services and components have Service Registration details recorded in the VMware Directory Service of the Platform Services Controller.
Each Service Registration can contain one or more Endpoint entries.
Each Endpoint may contain an SSL Trust value.
The SSL Trust value must always match the current Machine SSL certificate of the PSC or VC or Embedded node it refers to.
If you use the Certificate-Manager from 6.0 U1b or later – the tool will take care of updating these entries. If you replace the Machine SSL manually or have used the tool before 6.0 U1b then you may encounter this issue.
Continue reading “vSphere 6.x SSL Trust Anchors”
In this post I’ll explain how to deploy and configure an F5 Load Balancer for use with PSC 6.0 High Availability using a script to configure the F5. I got tired of manually configuring F5 Load Balancers for testing and lab building so I scripted the configuration and am sharing it here.
Disclaimer: The configuration of a 3rd Party Load Balancer is not supported by VMware. The 3rd party vendor should be engaged for support. The script in this post is not supported by VMware. Use at your own risk.
I used F5 BIG-IP v12 but have also tested on v11. Other versions may or may not work.
Continue reading “Automatically Configuring an F5 BIG-IP Load Balancer for PSC 6.0 HA”
In this series I’m going to outline, step by step, how to replace your vSphere 6.0 certificates using VMCA as a Subordinate CA and also exclusively using your own CA and not leveraging VMCA.
Replacing your vSphere 6.0 Certificates using VMCA as a Subordinate CA
NEW: Replacing your vSphere 6.0 Certificates using your own CA (no VMCA)
Replacing your vSphere 6.0 Certificates using a Hybrid model (Coming Soon)
A common issue seen by VMware Support is when SSL certificates expire. In vCenter Server 5.1 and 5.5 recovering from expired certificates (without re-installing) requires a very specific set of instructions otherwise you may end up needing to re-install.
Continue reading “Expired vCenter Server 5.x Certificates”
In vSphere 6.0 you have Solution Users that internal vCenter/PSC services use to interact. These Solution Users use certificates to log into services and components instead of maintaining passwords.
You have the option to replace these certificates with your own certificates or use VMCA issued certificates.
To solve a separate problem, the ability to control the Certificate Subject information in the Solution Users was added in an update to the vSphere Certificate-Manager with 6.0 U1b that allows the user to specify the Subject information for each Solution User.
Update: vSphere 6.0 U3 has made improvements to the Certificate-Manager to prevent you from getting into this issue. You will be only asked to complete one cfg file and the tool will automatically make a value unique using the Solution User ID.
Continue reading “Caution: Solution User Certificates in vSphere 6.0”
Configuring PSC HA to utilise SSL Pass-through basically means we don’t have any SSL Certificate on the Load Balancer VIP. To achieve this all PSC’s in the PSC HA Cluster are required to present the same certificate.
It also means that if you suspect your load balancer may be the cause of an issue, you can make vCenter bypass the load balancer directly to a PSC by creating a hosts file entry on the vCenter which maps the IP of a PSC to the Load Balanced FQDN.
Continue reading “Configuring PSC 6.0 High Availability with SSL Pass-through”