View
0
Download
0
Category
Preview:
Citation preview
Adam Eckerle, @eck79VCIX6-DCVSr. Technical Marketing Architect
SER2936BU
#VMworld #SER2936BU
vSphere SSL Certificates for Mere Mortals
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
3
VMworld 2017 Content: Not fo
r publication or distri
bution
Certificate Lifecycle Management
VMware Certificate Authority
VMCA
VMware Endpoint Certificate Store
VECS
Located on:Embedded Deployment and Platform Services Controller
Located on:Embedded Deployment andvCenter Server Node
4
VMworld 2017 Content: Not fo
r publication or distri
bution
VECSVMCA
VMware Endpoint Certificate Store (VECS)
5
Signed
VMCACertificate
Machine SSLCertificate
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware Endpoint Certificate Store (VECS)
▪ Repository for Certificates and Private Keys
▪ Mandatory Component
▪ Key Stores:
– Machine SSL Certificates
– Trusted Roots
– Solution Users Certificates
▪ Generally managed via Certificate Manager
▪ vecs-cli available for more advanced operations or automation
▪ Does Not Manage Single Sign-On Certificates
6
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware vSphere 6.x Certificate Types
▪ Machine SSL Certificate
▪ ESXi Certificates
▪ Solution User Certificates
▪ Single Sign-On Certificates
7
VMworld 2017 Content: Not fo
r publication or distri
bution
ESXi Certificates
▪ Post-install, ESXi always has an auto-generated certificate
▪ VMCA will provision a signed certificate when host is joined to vCenter (default mode)
▪ Custom certificates can be use if desired (custom mode)
▪ ESXi certificates are stored locally on each host in the /etc/vmware/ssl
▪ VMCA issued certificates can be renewed via the vSphere Client or PowerCLI
VMworld 2017 Content: Not fo
r publication or distri
bution
ESXi Certificates
9
Example:
function refreshcerts {
process {
$hostid = Get-VMHost $vmhost | Get-View
$hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1)
$hostParam[0] = New-Object VMware.Vim.ManagedObjectReference
$hostParam[0].value = $hostid.moref.value
$hostParam[0].type = 'HostSystem'
$_this = Get-View -Id 'CertificateManager-certificateManager'
$_this.CertMgrRefreshCertificates_Task($hostParam)
}
}
VMworld 2017 Content: Not fo
r publication or distri
bution
Machine SSL Certificates
▪ Server verification and secure communicatione.g. HTTPS or LDAPS
▪ Each node has its own Machine SSL Certificate. i.e. Embedded Deployment; vCenter Server; or Platform Services Controller
▪ All services communicate through the reverse proxy
▪ Traffic does not go to the services themselvese.g. The vpxd service uses the MACHINE_SSL_CERT to expose its endpoint.
10
VMworld 2017 Content: Not fo
r publication or distri
bution
Certificate Replacement Options for vCenter
11
VMCA Default
• VMCA provides the Root certificate
• All vSphere certificates chain to VMCA
• Regenerate certificates on demand easily
• Recommended
VMCA Enterprise
• Replace VMCA CA cert with a subordinate CA certificate from the Enterprise PKI
• Upon removal of the old VMCA CA certificate, all old certificates will be regenerated
Custom
• Disable VMCA as CA
• Provision custom certificates for each solution user and endpoint
• More complicated
• For highly security conscious customers only
Hybrid
• Replacement of the Machine_SSL certs
• VMCA for Hosts and Solution Users
• Very popular with high security customers
• Recommended
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware vSphere 6.x Certificate Manager
12
Appliance Deployment
/usr/lib/vmware-vmca/
bin/certificate-manager
Windows Deployment
<Drive>:\Program Files\VMware\
vCenter Server\vmcad\
certificate-manager
VMworld 2017 Content: Not fo
r publication or distri
bution
Common Certificate Manager Use Cases
13
VMCAas Root CA
(Default or Option 4)
VMCA as Enterprise CA
Subordinate
(Option 2)
Custom CA
(Option 1 & 5)
Hybrid
(Option 1)VMworld 2017 Content: N
ot for publicatio
n or distribution
Demo: VMCA as Root CA (Default)
VMworld 2017 Content: Not fo
r publication or distri
bution
Full Custom (No VMCA)
▪ Essentially bypass VMCA
▪ Generate a CSR & Certificate for each:
▪ Machine SSL
▪ Solution User
▪ ESX Host
▪ Manual installation and renewal
▪ Most secure (highly regulated / secure environments)
▪ Most amount of work
15
VMworld 2017 Content: Not fo
r publication or distri
bution
VMCA as Enterprise CA Subordinate
▪ Does NOT support wildcard cards or SubjectAltName
▪ You CANNOT create subsidiary CAs of VMCA
▪ No explicit limit to the length of the certificate chain
▪ Synchronize time for all nodes in environment
16
VMworld 2017 Content: Not fo
r publication or distri
bution
Custom certificates for the Web Client
VMCA for everything else (User Solutions, ESX hosts)
Hybrid Approach Concepts
17
OperationsSecurity
VMworld 2017 Content: Not fo
r publication or distri
bution
Hybrid Mode: 3rd Party Cert for Client access
18
What many security concerned companies are using for their vSphere environments
3rd Party Certificate Authority
DC1.lab.local
VCSA
vCenter Serverhttps://vcsa.lab.local
https://esxi-a.lab.local
SSL Certificate issued by DC1.lab.local Certificate Authority
SSL Certificate issued by vcsa.lab.local VMCA
VMworld 2017 Content: Not fo
r publication or distri
bution
Implementing Hybrid Mode (High Level)
19
1. Use Option 1 to:• Replace Machine_SSL cert on all
PSCs in SSO Domain
• Replace Machine_SSL cert on all vCenter Servers in SSO domain
2. Use vSphere Client / PowerCLI to replace certs on ESX hosts
VMworld 2017 Content: Not fo
r publication or distri
bution
Let’s Compare!
VMworld 2017 Content: Not fo
r publication or distri
bution
Example Environment
21
• 6 vCenter Servers• 2 Sites• 50 Hosts per vCenter Server
• 300 Hosts total
Approach SubCAs Machine SSL
Solution Users
ESXiHosts
Total Certificates
Subordinate CA 4 0 0 0 4
Full Custom N/A 10 28 300 338
Hybrid N/A 10 0 0 10
VMworld 2017 Content: Not fo
r publication or distri
bution
WalkthroughStep-by-step available at https://featurewalkthrough.vmware.com
Accompanying blog post at http://vmware.com/go/hybridvmca
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 VMware Inc. All rights reserved.
vSphere Centralvspherecentral.vmware.com
• Curated repository of vSphere resources including blogs, KBs, videos, and walkthroughs
• Simple to access and a single URL to remember
• Conveniently export resources to PDF for offline viewing
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2017 VMware Inc. All rights reserved.
vSphere 6.5 Topology & Upgrade Planning Toolvspherecentral.vmware.com/path-finder
• Guided walkthrough to assist in making critical topology and upgrade decisions
• Provides steps, diagram, and important resources for planning, execution, and post-upgrade
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
#migrate2vcsa | @eck79 | @emad_younishttp://blogs.vmware.com/vsphere
VMworld 2017 Content: Not fo
r publication or distri
bution
Recommended