During my VMworld session presentation INF-SEC1282 Automating Security and Compliance with DR (VMworld account required to access recording) I gave a world premier glimpse of a prototype solution that will allow completely automated management of SSL Certificates in a vSphere environment. The solution is still under development. But if you'd like to peak into the future of an easy and completely automated SSL management world for vSphere then this article is for you.
[Updated 14/09/2013] vCert Manager is now Generally Available! This was announced at VMworld USA 2013 in San Francisco. If you'd like to see how the prototype changed into the full product please check out my article VMworld USA 2013 By The Numbers. You can obtain an evaluation version of vCert Manager by visiting VSS Labs.
The session was an outstanding success, we received a massive response from the audience and subsequent to the session. As a result of this positive feedback we've decided to make the demo video available to the public on YouTube here and displayed below. I'm the lead architect of the solution and I'm working with VSS Labs based in Singapore and Philippines. If after reviewing the demo you'd like to become part of the
early adopter / beta program please visit the VSS Labs web site and register your expression of interest by filling in the Early Adopter Form.
Some things you should know about the demo before you watch it:
- This is a very early prototype and is a stand alone .net application in this demo. The full version will be web based and we will likely have .net or Java / Virtual Appliance options. We'd appreciate feedback on which varient would be the highest priority.
- In the demo we are only showing the replacement of ESXi certs, but the intention is to support ESX/ESXi 4.x and 5.x out of the gate, in addition to vCenter, vSphere Web Client and selected integrated components and management tools, such as VMware View, vCloud Director, SRM, vShield, vCOps. Your feedback on the most critical components to support upon GA would be valuable.
- We will be supporting multiple Certificate Authorities, both private and public. We will support stand alone and enterprise / AD integrated Windows CA's (2003 and 2008 version). Public CA support if API's are not available may still require some manual steps, but the creation of CSR and the applying of the certs and managing the lifecycle of the cert will be automated.
- The minimum key length supported will be 1024 bits, with maximum of 4096bits and default of 2048bits.
- In the demo we use a stand alone Windows CA, this is the reason for the message in IE being displayed towards the end of the demo. The CA's cert was not pre-trusted in the system where the browser is being run. This message would not be displayed had an AD Integrated Enterprise CA been used.
Once you have watched the demo please complete the brief survey below.
Please let us know what your thoughts are on the most critical components we should support when we release vCert Manager 1.0.
Managing SSL Certs in a VMware environment is a very complicated, time consuming, error prone, and costly task. My hope is that vCert Manager will revolutionize SSL Management in VMware environments, make it simple, easy, and cost effective to change and maintain SSL certificates throughout their lifecycle, for all customers. Providing a more secure platform to many customers that wouldn't or couldn't currently change their SSL certificates. If after reading this article and seeing the demo you still want to do your certificates manually then please feel free to check out my article on Updating SSL Certificates in vSphere 5. I look forward to receiving some good feedback and comments.
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2012 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.