VMCA Certificates Dealing with with VMware Cloud Director 10.4


The safety of the communication between VMware Cloud Director cells and ESXi hosts has been enhanced within the newest 10.4 model. This impacts the vCenter Server registration course of because the ESXi certificates chain (normally signed by VMCA – VMware Certificates Authority) should be trusted in any other case sure options that require direct ESXi communication will cease working (console proxy, OVF import/export, visitor customization).

This additional enhances the earlier safety adjustments resembling the power to disable hostname verifications for vCenter Server or NSX Managers and aligns with the trade safety tips.

If you happen to want to know extra concerning the earlier function enhancements and explanations, please consult with the weblog put up created by Daniel Paluszek.

On this weblog, I’ll focus on the enhancements made to the VMCA certificates dealing with for VMware Cloud Director 10.4 which is mostly accessible since 14th July 2022.

Earlier than going additional, let’s recap what VMCA certificates is:

vSphere offers safety by utilizing certificates to encrypt communications, to authenticate companies, and to signal tokens.

vSphere makes use of certificates to:

  • Encrypt communications between two nodes, resembling a vCenter Server and an ESXi host.
  • Authenticate vSphere companies
  • Carry out inner actions resembling signing tokens

vSphere’s inner certificates authority, VMware Certificates Authority (VMCA), offers all of the certificates needed for vCenter Server and ESXi. VMCA is put in on each vCenter Server host or Platform Providers Controller, instantly securing the answer with out another modifications. Holding this default configuration offers the bottom operational overhead for certificates administration. vSphere offers a mechanism to resume these certificates within the occasion they expire.

vSphere additionally offers a mechanism to interchange sure certificates with your personal certificates. Nevertheless, it is suggested to interchange solely the SSL certificates that gives encryption between nodes, to maintain your certificates administration overhead low.

For extra particulars, please consult with VMware Documentation.

vCenter Server Registration Adjustments

The vCenter Server registration course of consists of three steps:

  • Retrieve the vCenter Server endpoint certificates and both explicitly or implicitly belief it
  • Register vCenter Server as IaaS/SDDC endpoint (optionally with NSX-V Supervisor)
  • After vCenter Server is connected, VMware Cloud Director retrieves VMCA certificates from the Certificates Administration part of the vCenter Server. In case this certificates isn’t already trusted by VCD, you may be prompted to belief that certificates as demonstrated above.

Notice that the belief is that ESXi host certificates are signed by VMCA. In uncommon instances the place a special CA is used to signal ESXi host certificates such CA certificates should be imported into VCD certificates belief retailer manually.

When utilizing UI, you may be guided by the three-step registration workflow. Nevertheless, when utilizing API, the third step should be accomplished after the vCenter Server registration. The VMCA certificates will be retrieved with this new API (v37.0):

GET /cloudapi/1.0.0/virtualCenters/{vcUrn}/certificateAuthority/vmca

The vCenter Server should be already registered as it’s essential to provide its URN within the API name. Then the VMCA certificates will be added to the VCD certificates belief retailer:

POST /cloudapi/1.0.0/ssl/trustedCertificates

Please observe that the most recent API for the certificates dealing with solely works with vCenter Server 7.0 or later.

If you’re working an older model of vCenter Server 6.7, you’ll not get the immediate to belief the VMCA certificates and can be capable to connect the vCenter Server.

Nevertheless, you’ll observe an error message in VMware Cloud Director as talked about beneath:

Graphical user interface, applicationDescription automatically generated

This challenge is addressed later on this weblog.

Stroll-through attaching a vCenter with distinct endpoint and VMCA certificates:

When attaching vCenter with VMware Cloud Director, the administrator will probably be introduced with the immediate to belief the vCenter certificates (CA Signed Issued).

Full the wizard to hook up with the vCenter (after offering different needed particulars), then you may be prompted to belief one other certificates. That is the VMCA certificates (Self Signed as per my lab).

What if the VMCA certificates isn’t trusted?

If the VMCA certificates isn’t trusted, then following options received’t work:

  • Console proxy.
  • Powering on a VM with visitor customization.
  • OVF/Media Uploads.

What if you’re working older variations of VMware Cloud Director. i.e., 10.3 with vCenter Servers connected and you might be planning to improve VMware Cloud Director to 10.4?

When you improve to VMware Cloud Director to 10.4, an advisory will probably be introduced, referring you to KB 78885 for the adjustments within the vCenter Integration. for the adjustments within the vCenter Integration.

The next easy process will retrieve VMCA certificates and import them to the VCD belief retailer:

  • Within the upgraded VCD 10.4 go to Sources > Infrastructure Sources > vCenter Server Situations
  • Choose the vCenter Server which is already registered
  • Click on Edit.

  • Click on Save with out making any adjustments. You can be requested to Belief the VMCA certificates

  • Evaluate the certificates and click on Belief.

Notice that the above process will work just for vCenter Server situations which might be on model 7.0. When you have vCenter Server 6.7 in your surroundings, you will have to retrieve their VMCA certificates manually and import it to the VCD belief retailer.

Graphical user interface, text, application, websiteDescription automatically generated Find the VMCA within the zip file contents and add it to VCD’s trusted certificates as follows:

Graphical user interface, text, application, email, websiteDescription automatically generated

Alternatively, you’ll be able to run the beneath cell-management-tool command to retrieve and belief certificates from all configured vCenter Server and NSX servers in addition to the VMCA certificates.

/decide/vmware/vcloud-director/bin/cell-management-tool trust-infra-certs –vsphere –unattended

The above command works each for vSphere 7 and 6.7 environments. 

Nevertheless, if the above cell-management-tool possibility is used then it is best to audit the trusted certificates and take away those pointless for VMware Cloud Director.

Due to Ankit Shah & Tomas Fojta for his help and collaboration on this effort.


Leave a Reply