Certificate Authority Pki Software Server Appliance

Posted on
  1. Certificate Authority Pki Software Server Appliance Replacement

The QR-CERT software is a specialized package of applications dedicated for the development of a Public Key Infrastructure system as well as the cards personalization and management system. The software contains a number of functional modules, enabling a flexible selection of functionalities for implementation. The software is dedicated for large organizations and corporate environments, with a PKI infrastructure and microprocessor cards. The QR-CERT is a solution both for the companies which plan to build their own PKI infrastructure and entities planning to provide services in this respect. This software enables the implementation of advanced security mechanisms, such as: secure e-mail (S/MIME), electronic signature (PKCS#7, XAdES), network transmission protection (IPSEC, SSL/TLS) and strong authentication for service portals (HTTPS) or strong authentication of users for the Windows ActiveDirectory domain.

With vSphere 6.0 the vCenter Virtual Server Appliance (VCSA), now has a component called the Platform Services Controller (PSC). The PSC handles things like SSO and the License Server and ships with its own Certificate Authority called VMware Certificate Authority (VMCA).

Certificate Authority Pki Software Server Appliance Replacement

In this blog post we’ll quickly go over some of the modes of VMCA operation and how to download and install the VMCA root certificate into your browser.VMCA overviewVMCA issues certificates for VMware solution users, machine certificates for machines on which services are running, and ESXi host certificates. Host provisioning happens when the ESXi host is added to vCenter Server explicitly or as part of the ESXi host installation.VMware Endpoint Certificate Store (VECS) serves as a local (client-side) repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on.

Certificate Authority Pki Software Server Appliance

ESXi certificates are stored locally on each host and not in VECS. VECS runs on every embedded deployment, Platform Services Controller node, and management node and holds the keystores that contain the certificates and keys.With VMCA you can deal with certificates in three different ways. For the purposes of discussion we’ll call them. VMCA Default. VMCA Enterprise.

CustomVMCA Default: VMCA uses a self-signed root certificate. It issues certificates to vCenter, ESXi, etc and manages these certificates. These certificates have a chain of trust that stops at the VMCA root certificate. VMCA is not a general purpose CA and its use is limited to VMware components.VMCA Enterprise: VMCA is used as a subordinate CA and is issued subordinate CA signing certificate. How to play trivia crack alone. It can now issue certificates that trust up to the enterprise CA’s root certificate. If you have already issued certs using VMCA Default and replace VMCA’s root cert with a CA signing cert then all certificates issued will be regenerated and pushed out to the components.Custom: In this scenario VMCA is completely bypassed.

This scenario is for those customers that want to issue and/or install their own certificates. You will need to issue a cert for every component, not unlike you do today for 5.5 when using 3rd party certs. And all of those certs (except for host certs) need to be installed into VECS.In Default and Enterprise modes VMCA certificates can be easily regenerated on demand.Important: For vSphere 6.0 the procedure for installing these certificates has changed from vSphere 5.x.

In order to make this procedure less painful a new Certificate Manager tool is shipped as part of vCenter for Windows and VCSA. It will be located here:Windows: C:Program FilesVMwarevCenter Servervmcad certificate-managerLinux: /usr/lib/vmware-vmca/bin/certificate-managerThe procedure will be fully documented and will be the topic of a future blog article. Downloading VMCA’s Root CertificateToday when you connect to VCSA you get a web page like this:or thisUgly, “feels” insecure, gets the security guys all wound up. (and we can’t have that happen!) Let’s get the root certificate from the VCSA and VMCA and install it in the browser so we don’t see these pages anymore. Get the root certificateOpen up your web browser and go to the VCSA home page.


I’ve outlined in red the link you’ll want to click on.What you’ll get now is a folder in your Downloads folder called “certs”. In that folder are two files. It may also download as a zip file, depending on your browser. You may have to rename the file “download” to “download.zip”.The file ending in.r0 is the Certificate Revocation List in DER format.

You can view the CRL by runningopenssl crl –in.r0 –text –nooutThe file ending in.0 is the root CA certificate in PEM format. You can view the CA cert by runningopenssl x509 –in.0 –text –noout Installing the Root Certificate in the Firefox browserThe root CA is the one we’ll install in our browser. By doing this, the certificate presented by VCSA will chain its root of trust to the imported VMCA root CA certificate.In Firefox I opened up the certificate list in Advanced settings, selected “Authorities”I then clicked on Import, selected the.0 file and was presented with this option.Select “Trust this CA to identify websites” and click OK. Your root CA is now imported and if you open the VCSA web page you’ll find you are no longer presented with the option to verify the certificate.

You may need to close and reopen the browser.The process is similar for other browsers and is well documented for adding the root CA to Windows, Linux and Mac key stores if you prefer to do it that way.Note: You’ll need to access the VCSA by its FQDN and not its IP address (like I normally do in a lab environment!). Otherwise you’ll get an error like this:Note that any resource that presents a web page that has its certificate issued by VMCA will now show up as trusted.For example, host certificates will be valid as well! Mike Foley is a Staff Technical Marketing Architect for vSphere Security at VMware.His primary goal is to help IT Admins build more secure platforms that stand up to scrutiny from security teams with the least impact to IT Operations.Mike is also the current author of the vSphere Security Configuration (formerly Hardening) Guide.Previously, Mike was on the evangelist team at RSA where he concentrated on virtualization and cloud security.

Mike was awarded a patent (8,601,544) in December 2013 for dual-band authentication using the virtual infrastructureMike has a personal blog at and contributes to the VMware vSphere and Security blogs as well.Follow him at @vSphereSecurity on Twitter. VirtualJMills September 8th, 2015FWIW, depending on how you deployed your PSCs you might end up with a separate VMCA “CA Certificate” and associated CRL per PSC as part of the “download.zip” file (VCSA landing page “Download trusted root CA certificates” link). The “Organization” informational element of the certificate will show the FQDN of the issuing PSC or VCSA+PSC.Also, if you’re working with a client-side system that prefers well-known file extensions, add.crt to the end of the filename.0 files.