• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

virtuallyGhetto

  • About
  • Privacy
  • VMware Cloud
  • Home Lab
  • Nested Virtualization
  • Automation
    • VMware Kickstart
    • VMware API/SDK/CLI
    • VMware vMA/VIMA
    • VMware OVF / OVFTOOL
  • Apple Mac
  • VCSA
  • VSAN
You are here: Home / Automation / Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

Is vCenter Server & ESXi hosts using VMware Certificate Authority (VMCA) or custom CA certificates?

10/23/2018 by William Lam Leave a Comment

Customers have two primary methods of managing TLS certificates for their ESXi hosts, they can either use the built-in VMware Certificate Authority (VMCA) which is part of vCenter Server or Custom CA Certificates. I will not go into the gory details, but you can read more about the options here in our documentation.

A question that I had received recently was whether you can determine the type of certificate an ESXi host was provisioned with and whether this could be programmatically retrieved using the vSphere API? The answer is yes. In vSphere 6.0, we introduced a CertificateInfo property which contains a number of fields including status, issuer, expiry and subject details and by inspecting either the issuer or subject property, you can determine the type of certificate on the ESXi host.

Here is a screenshot of the data using the vSphere MOB for an ESXi host that has VMCA-based certificate:


Here is a screenshot of the data using the vSphere MOB for an ESXi host that has custom CA certificate:


As you can see, for VMCA-based certificate the issuer's OU will have value of "VMware Engineering" and subject's emailAddress will have value of "*protected email*".

In addition, you might also be interested in whether your vCenter Server is currently configured for VMCA or custom certificates. Using the vSphere UI, you can easily check this by looking at the vCenter Server Advanced Setting vpxd.certmgmt.mode which can have a value of vmca, custom or thumbprint. For more information on how to change this value, you can take a look at the documentation here.


Now that we know where to find this information, lets put all this together into a nice automated script that we can use! I have created a PowerShell function called Get-VSphereCertificateDetails which can be downloaded from here. The function will inspect both your vCenter Server (also supports directly connecting to an ESXi host) as well as all ESXi hosts managed by the vCenter Server. The output will provide the certificate mode of your vCenter Server as well as details for each of the ESXi hosts. Another benefit of this script is to be able to retrieve the current certificate expiry of all your ESXi hosts, which was not easy to do in the past as described in this article here.

Here is a sample output for an environment that is using VMCA based certificate:


Here is a sample output for an environment that is going through a custom certificate conversion:

More from my site

  • Listing all Events for vCenter Server
  • VMware PowerCLI for Mac OS X, Linux & More? Yes, please!
  • How to easily disable vMotion & Cross vCenter vMotion for a particular Virtual Machine?
  • How to install ESXi 5.5 Patch03 on the new Mac Pro 6,1?
  • Want to issue a VAAI UNMAP operation using the vSphere Web Client?
Share this...
  • Twitter
  • Facebook
  • Linkedin
  • Reddit
  • Pinterest

Filed Under: Automation, ESXi, VCSA, vSphere Tagged With: expiry, PowerCLI, ssl certificate, TLS, VMCA, VMware Certificate Authority, vSphere

Reader Interactions

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Services Business Unit (CSBU) at VMware. He focuses on Automation, Integration and Operation for the VMware Cloud Software Defined Datacenters (SDDC)

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Sponsors

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy