I’ve written a few articles now on how to change the self-signed SSL certs in a few of the VMware components, such as vCenter Server 5, vSphere Web Client, and ESXi 5 Hosts. All without any discussion about why you would want to do it at all. So why do you bother going to all the trouble of changing out the self-signed SSL certs for Org CA or Public CA signed SSL certs?
If you want a way to fully manage the certificate lifecycle and replace certs automatically then you’ll want to check out vCert Manager – Changing VMware SSL Certs Made Easy. This will completely automate the SSL certificate process in vSphere environments.
One of the main reasons it is generally recommended is to prevent or reduce the risk of Man in the Middle (MiTM) attacks. This is where someone impersonates a valid system or communication using an untrusted or self-signed SSL certificate and in the process intercepts encrypted traffic. This is one of the things the Public Key Infrastructure (PKI) has been built to prevent. However this is one of many reasons why you would want to change the certs for valid CA signed certs.
Changing out certificates for all of the software components in a vSphere infrastructure requires a lot of effort. It can also be quite painful, although I hope my articles go some way to helping with the difficulty level. But in a lot of environments it is definitely worthwhile or required.
Instead of giving you all the reasons you might want to go to this trouble and change the certs for your organization I have instead developed a quick poll. I’d like to know from you why you do it? What motivates your organization to implement Org CA or Public CA signed SSL certs for your vSphere environment and the various components?
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.