6.7
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Understanding vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the vSphere Client
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates with CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
You can no longer use the vSphere 5.5 certificate replacement tool, which was available for vSphere
5.5 installations. The new architecture results in a different service distribution and placement. A new
command-line utility, vSphere Certificate Manager, is available for most certificate management tasks.
vSphere Certificate Interfaces
For vCenter Server, you can view and replace certificates with the following tools and interfaces.
Table 3‑3. Interfaces for Managing vCenter Server Certificates
Interface Use
vSphere Client Perform common certificate tasks with a graphical user
interface.
vSphere Certificate Manager utility Perform common certificate replacement tasks from the
command line of the vCenter Server installation.
Certificate management CLIs Perform all certificate management tasks with dir-cli,
certool, and vecs-cli.
vSphere Web Client View certificates, including expiration information.
For ESXi, you perform certificate management from the vSphere Web Client. VMCA provisions
certificates and stores them locally on the ESXi host. VMCA does not store ESXi host certificates in
VMDIR or in VECS. See the vSphere Security documentation.
Supported vCenter Certificates
For vCenter Server, the Platform Services Controller, and related machines and services, the following
certificates are supported:
n
Certificates that are generated and signed by VMware Certificate Authority (VMCA).
n
Custom certificates.
n
Enterprise certificates that are generated from your own internal PKI.
n
Third-party CA-signed certificates that are generated by an external PKI such as Verisign,
GoDaddy, and so on.
Self-signed certificates that were created using OpenSSL in which no Root CA exists are not supported.
Certificate Replacement Overview
You can perform different types of certificate replacement depending on company policy and
requirements for the system that you are configuring. You can perform certificate replacement from the
Platform Services Controller, by using the vSphere Certificate Manager utility or manually by using the
CLIs included with your installation.
VMCA is included in each Platform Services Controller and in each embedded deployment. VMCA
provisions each node, each vCenter Server solution user, and each ESXi host with a certificate that is
signed by VMCA as the certificate authority. vCenter Server solution users are groups of vCenter Server
services.
Platform Services Controller Administration
VMware, Inc. 79