I like VMware and their core products like vCenter, ESXi, etc. Personally, one thing I really admire is the general quality of these products, how reliable they are, how well they work, and how VMware works to address pain points of them to make them extremely usable. They just work.
However, certificate management has been a big pain point of the core vSphere product line. There’s just no way around it. And certificates are important. You want to ensure the systems you’re connecting to when you manage them are those systems. For many customers I’ve worked with, because of the pain of certificate management within vSphere, the fact that some customers are too small and don’t have an on premise Certificate Authority, and to ensure the product continues to work, they often don’t replace the default self-signed certificates generated by vSphere.
That’s obviously less than ideal. The good news is certificate management has been completely revamped in vSphere 6. It’s far easier to replace certificates if you like, and you have some flexibility as to how you go about this.
Three Models of Certificate Management
Now, you have several choices for managing vSphere certificates. This post will outline them. Later, I’ll show you how you can implement each model. Much of this information comes from a VMworld session I attended called “Certificate Management for Mere Mortals.” If you have access to the session video, I would highly encourage viewing it!
Before we get into the models, be aware that certificates can basically fall under one of two categories – certificates that facilitate client connections from users and admins, and certificates that allow different product components to interact. Also, vCenter also has built in Certificate Authority functionality within it. That’s a bit obvious since you already had self-signed certificates, but this functionality has been expanded. For example, you can allow vCenter to act as a subordinate authority of your enterprise PKI, too!
Effectively, this means you have some questions up front you want to answer:
- Are you cool with vCenter acting as a certificate authority at all? The biggest reason to use vCenter is it is easier to manage certificates this way, but your security guidelines may not allow it.
- Are you cool with vCenter being a root certificate authority should you be cool with it generating certificates? If not, you could make it a subordinate CA.
- For each certificate, which certificate authority should generate them? Maybe your security requirement that the internal PKI must be used is only for certificates viewable on client connections as an example.
From these questions, typically a few models emerge for certificate management. You effectively have four models that emerge, which is a combination of your vCenter acting as a certificate authority or not, and which certificates it will generate.
Model 1: Let vCenter do it all!
This model is pretty straight forward. vCenter will act as a certificate authority for your vSphere environment, and it will generate all the certificates for all the things! This can be attractive for several reasons.
- It’s by far the easiest to implement. It will generate all your certificates for you pretty much, and install them.
- It’ll definitely work. No worries about generating the wrong certificate.
- If you don’t have an internal CA, you’re covered! vCenter is now your PKI for vSphere. Sweet! You can even export vCenter’s root CA certificate, and import it into your clients using Active Directory Group Policy, or other technologies to get client machines to automatically trust these certificates! Note that it is unsupported for vCenter to generate certificates for anything other than vSphere components.
Model 2: Let vCenter do it all as a subordinate CA to your enternal PKI
Very similar model to the above. The only exception is instead of vCenter being the root CA, you make vCenter become a subordinate CA for your enterprise PKI. This allows your vCenter server to more easily generate certificates that are trusted automatically by client machines. Yet it also ensures that certificates are still easily generated and installed properly.
However, it is a bit more involved than the first model, since you must create a certificate request (CSR) in vCenter to submit to your enterprise PKI, and then install the issued certificate within vCenter manually.
Model 3: Make your enterprise PKI issue all the certificates
Arguably the most secure if your enteprise PKI is secured, this model is pretty self-explanatory. You don’t make use of any of the certificate functionality within vCenter. Instead, you must manually generate all certificate requests for all vCenter components, ESXi servers, etc., submit them to your enterprise PKI, and install all the resulting certificates for each yourself.
While this could be the most secure way to go about certificate management, it is by far the most laborious solution to implement, and it is the solution that is most likely to be problematic. You have to ensure your PKI is configured to issue the correct certificate type and properties, you have to install the right certificates on the right components, etc. It’s all pretty much on you to get everything right!
Model 4: Mix and match! (SAY WHAT?!?!?)
When I first heard this being discussed in the session, my immediate reaction by my security inner conscious was, “This sounds like a REALLY bad idea!!!”
But as I listened, it actually makes quite a bit of sense when done properly. You can mix and match which certificates are and are not generated by the PKI components within vCenter. However, the model that makes sense if you go hybrid (a hybrid solution doesn’t make sense for everyone!) would be to allow vCenter to manage the certificate generation for all certificates that facilitate vSphere component communication, but use either Model 1, 2, or 3 for all other certificates that facilitate client connections. Should this meet your security requirement, it meets the best of both worlds – certificates issued by your internal PKI that your clients automatically trust and thereby (potentially) more secure, but ease of management and better reliability for all the certificates that clients don’t see for internal vSphere components.
Which should you go with?
I hate using the universal consultant answer, but I have to. It depends. If you don’t have an internal PKI, go with Model 1.
If you have an internal PKI just because you had to for something else, and you want easy trusting of vSphere connections by your clients, go with model 1 and import vCenter’s root CA into your client machines, OR go with Model 2. Which one in this case? If you don’t consider yourself really good at PKI management, or if you don’t need many machines to be able to connect to vSphere components, probably Model 1. The more clients that need to connect, the more it might lean you towards Model 2.
Do you have security requirements that prevent you from using vCenter’s PKI capabilities altogether? You have no choice, go with Model 3.
I would generally try though for people who think they need to go with Model 3 to look at Model 4’s hybrid approach. Unless you absolutely have to go with Model 3, go Model 4.
Hope this helps!