Home > Business Critical Applications, CA SSL Certificates, Security, VMware > vCert Manager – Changing VMware SSL Certs Made Easy

vCert Manager – Changing VMware SSL Certs Made Easy

During my VMworld session presentation INF-SEC1282 Automating Security and Compliance with DR (VMworld account required to access recording) I gave a world premier glimpse of a prototype solution that will allow completely automated management of SSL Certificates in a vSphere environment. The solution is still under development. But if you’d like to peak into the future of an easy and completely automated SSL management world for vSphere then this article is for you.

The session was an outstanding success, we received a massive response from the audience and subsequent to the session. As a result of this positive feedback we’ve decided to make the demo video available to the public on YouTube here and displayed below. I’m the lead architect of the solution and I’m working with VSS Labs based in Singapore and Philippines. If after reviewing the demo you’d like to become part of the early adopter / beta program please visit the VSS Labs web site and register your expression of interest by filling in the Early Adopter Form.

Some things you should know about the demo before you watch it:

  1. This is a very early prototype and is a stand alone .net application in this demo. The full version will be web based and we will likely have .net or Java / Virtual Appliance options. We’d appreciate feedback on which varient would be the highest priority.
  2. In the demo we are only showing the replacement of ESXi certs, but the intention is to support ESX/ESXi 4.x and 5.x out of the gate, in addition to vCenter, vSphere Web Client and selected integrated components and management tools, such as VMware View, vCloud Director, SRM, vShield, vCOps. Your feedback on the most critical components to support upon GA would be valuable.
  3. We will be supporting multiple Certificate Authorities, both private and public. We will support stand alone and enterprise / AD integrated Windows CA’s (2003 and 2008 version). Public CA support if API’s are not available may still require some manual steps, but the creation of CSR and the applying of the certs and managing the lifecycle of the cert will be automated.
  4. The minimum key length supported will be 1024 bits, with maximum of 4096bits and default of 2048bits.
  5. In the demo we use a stand alone Windows CA, this is the reason for the message in IE being displayed towards the end of the demo. The CA’s cert was not pre-trusted in the system where the browser is being run. This message would not be displayed had an AD Integrated Enterprise CA been used.

Once you have watched the demo please complete the brief survey below.

Please let us know what your thoughts are on the most critical components we should support when we release vCert Manager 1.0.

Final Word

Managing SSL Certs in a VMware environment is a very complicated, time consuming, error prone, and costly task. My hope is that vCert Manager will revolutionize SSL Management in VMware environments, make it simple, easy, and cost effective to change and maintain SSL certificates throughout their lifecycle, for all customers. Providing a more secure platform to many customers that wouldn’t or couldn’t currently change their SSL certificates. If after reading this article and seeing the demo you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and comments.

This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.comby Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.

  1. Ronny
    September 16, 2012 at 8:46 pm

    this is really a great idea! I hope that this project will be integrated into vSphere sooner than later! Especially changing SSL certs for vCenter is really time consuming and painful as you have to copy the certs to five different directories, run some CLI commands, etc. btw: is it planned that SAN’s (Subject Alternate Names) are also supported by vCert Manager (used by SRM)?

    • September 16, 2012 at 8:56 pm

      Hi Ronny,

      Yes SAN’s are supported and the intelligence is built into vCert Manager for the CSR’s to request them. Some Pre req’s exist on the CA’s however that’ll be in the docs. Cert Templates need to support them properly. For SRM the SAN will be FQDN, ShortName and IP. Common Name will be user defined.

  2. September 17, 2012 at 10:58 am

    I can’t wait for this tool! SSL configuration with VMware products is extremely, extremely, highly frustrating! It’s even worse in vSphere 5.1. The tool will negate the need for some of my blog posts, but I’ll gladly trade that for not pulling out my hair when trying to properly configure certificates.

    The tool should also manage the SSL certificates needed for the SSO Service installer to establish a SSL connection to the back-end MS SQL server. The process of configuring the JDBC URL and keystore for trusted SSL is very tedious and not documented anywhere in VMware docs that I know of. I had to figure it out for myself.


  3. Mike J
    September 18, 2012 at 6:00 am

    Great idea. I am in the process of creating a plan to update 200+ host with signed certifictes. This willy time consuming. This may adjust some of the design times. Hopefully this is out sooner than later. Good work.

  4. Wasim Shaikh
    September 23, 2012 at 7:58 am

    This is going to be one of the best solution. I don’t know why vmware didn’t include such kind of certificate management as default when they introduced SSO, Inventory, vCenter, Web Client in 5.1. Its really painful to manage certificates. Hope to see this tool in market soon.

  5. Wasim Shaikh
    September 23, 2012 at 8:00 am

    Thanks to Derek Seaman, he has put lots of efforts in documenting the procedure.

  6. Peter Van Geem
    October 31, 2012 at 7:16 am

    Really Super Great idea !! Looking forward to this solution!! Tnx Michael!

  7. Nicolas Dassy
    October 31, 2012 at 9:43 am

    Good luck for this great project… You are right when you discuss about the pain to work with these certificates! I wish you much success

  8. Paul Sheard
    December 7, 2012 at 12:01 am

    Awesome work Michael!


  9. January 7, 2013 at 10:27 am

    Any idea, when this tool will be released ?

    • January 7, 2013 at 10:30 am

      We’re expecting vCert Manager to be generally available this quarter (Q1 2013). It will be in Beta shortly.

  10. January 7, 2013 at 10:40 am

    Thanks for the quick update. Can we still sign for the Beta ?

    • January 7, 2013 at 10:43 am

      You sure can. Just complete the early adopter form that I’ve linked through to in the article and you’ll be contacted as soon as the general beta is available.

  1. September 17, 2012 at 8:03 am
  2. September 17, 2012 at 8:03 am
  3. September 17, 2012 at 8:03 am
  4. September 17, 2012 at 8:03 am
  5. September 17, 2012 at 8:09 am
  6. September 17, 2012 at 8:10 am
  7. September 17, 2012 at 8:10 am
  8. September 17, 2012 at 8:10 am
  9. September 17, 2012 at 8:10 am
  10. September 17, 2012 at 8:10 am
  11. September 17, 2012 at 8:10 am
  12. September 17, 2012 at 8:17 am
  13. September 17, 2012 at 8:18 am
  14. September 17, 2012 at 10:14 am
  15. September 24, 2012 at 12:01 am
  16. October 27, 2012 at 1:16 am

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: