6.7
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Understanding vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the vSphere Client
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates with CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
Certificate Type Certificate Requirements
Root certificate
n
You can use vSphere Certificate Manager to create the
CSR. See Generate CSR with vSphere Certificate Manager
and Prepare Root Certificate (Intermediate CA)
n
If you prefer to create the CSR manually, the certificate that
you send to be signed must meet the following
requirements.
n
Key size: 2048 bits or more
n
PEM format. VMware supports PKCS8 and PKCS1
(RSA keys). When keys are added to VECS, they are
converted to PKCS8
n
x509 version 3
n
If you are using custom certificates, the CA extension
must be set to true for root certificates, and cert sign
must be in the list of requirements.
n
CRL signing must be enabled.
n
Enhanced Key Usage must not contain Client
Authentication or Server Authentication.
n
No explicit limit to the length of the certificate chain.
VMCA uses the OpenSSL default, which is 10
certificates.
n
Certificates with wildcards or with more than one DNS
name are not supported.
n
You cannot create subsidiary CAs of VMCA.
See VMware Knowledge Base Article 2112009, Creating
a Microsoft Certificate Authority Template for SSL
certificate creation in vSphere 6.0, for an example using
Microsoft Certificate Authority.
Machine SSL certificate You can use vSphere Certificate Manager to create the CSR or
create the CSR manually.
If you create the CSR manually, it must meet the requirements
listed previously under Requirements for All Imported
Certificates. You also have to specify the FQDN for the host.
Solution user certificate You can use vSphere Certificate Manager to create the CSR or
create the CSR manually.
Note You must use a different value for Name for each solution
user. If you generate the certificate manually, this might show up
as CN under Subject, depending on the tool you use.
If you use vSphere Certificate Manager, the tool prompts you for
certificate information for each solution user. vSphere Certificate
Manager stores the information in certool.cfg. See
Information that Certificate Manager Prompts For.
Requirements for Custom Certiļ¬cates
When you want to use custom certificates, the certificates must meet the following requirements.
Platform Services Controller Administration
VMware, Inc. 76