Certificates in vSphere

Question 1

ESXi certificate

Answer 1

Provisioned By: VMCA 9Default)

Stored locally on an ESXi host in the /etc/vmware/ssl directory when the host is first added to vCenter Server and when it reconnects.

Question 2

Machine SSL certificate

Answer 2

Provisioned By: VMCA (Default)

Stored in VECS.

Used to create SSL sockets for SSL client connections, for server verification, and for secure communication such as HTTPS and LDAPS.

Used by the reverse proxy service, the vCenter Server service (vpxd), and the VMware Directory service (vmdir).

Uses X.509 Version 3 certificates to encrypt session information.

Question 3

Solution user certificate

Answer 3

Provisioned By: VMCA (Default)

Stored in VECS.

Used by solution users to authenticate to vCenter Single Sign-On through SAML token exchange.

Question 4

vCenter Single Sign-On SSL signing certificate

Answer 4

Provisioned: During Installation

Used throughout vSphere for authentication, where a SAML token represents the user’s identity and contains group membership information.

You can manage this certificate from the command line. Changing this certificate in the file system leads to unpredictable behavior.

Question 5

VMware Directory Service (vmdir) SSL certificate

Answer 5

Provisioned: During Installation

Starting with vSphere 6.5, the machine SSL certificate is used as the vmdir certificate.

Question 6

vSphere Virtual Machine Encryption Certificates

Answer 6

Provisioned By: Depends

Used for virtual machine encryption, which relies on an external key management server (KMS).

Depending on how the solution authenticates to the KMS, it might generate certificates and store them in VECS.

Question 7

VECS?

Answer 7

VMware Endpoint Certificate Store