Certificates in vSphere Flashcards
ESXi certificate
Provisioned By: VMCA 9Default)
Stored locally on an ESXi host in the /etc/vmware/ssl directory when the host is first added to vCenter Server and when it reconnects.
Machine SSL certificate
Provisioned By: VMCA (Default)
Stored in VECS.
Used to create SSL sockets for SSL client connections, for server verification, and for secure communication such as HTTPS and LDAPS.
Used by the reverse proxy service, the vCenter Server service (vpxd), and the VMware Directory service (vmdir).
Uses X.509 Version 3 certificates to encrypt session information.
Solution user certificate
Provisioned By: VMCA (Default)
Stored in VECS.
Used by solution users to authenticate to vCenter Single Sign-On through SAML token exchange.
vCenter Single Sign-On SSL signing certificate
Provisioned: During Installation
Used throughout vSphere for authentication, where a SAML token represents the user’s identity and contains group membership information.
You can manage this certificate from the command line. Changing this certificate in the file system leads to unpredictable behavior.
VMware Directory Service (vmdir) SSL certificate
Provisioned: During Installation
Starting with vSphere 6.5, the machine SSL certificate is used as the vmdir certificate.
vSphere Virtual Machine Encryption Certificates
Provisioned By: Depends
Used for virtual machine encryption, which relies on an external key management server (KMS).
Depending on how the solution authenticates to the KMS, it might generate certificates and store them in VECS.
VECS?
VMware Endpoint Certificate Store