Configure and manage VMware Endpoint Certificate Store

By | 05/11/2017

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.

2: Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)

This store contains all of your trusted root certificates.

3: Solution User Stores 

There are five solution users in vSphere 6 –

  • Machine
  • vpxd
  • vpxd-extensions
  • vSphere web client

VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. Solution user certificates are used for authentication with vCenter Single Sign-OnvCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes. 

  • The machine endpoint is used by the logging service, component manager, and license server.
  • The vpxd soltuion user is for vCenter Server and is used to authenticate to vCenter Single Sign-On.
  • The vpxd-extensions solution user is used by Auto Deploy and Inventory Service.
  • vsphere-webclient solution is used for the vSphere Web Client.

4: BACKUP_STORE

This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.

Other Stores

Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base artoc;e instructs you to do so.

Listing VECS Store

To see a list of your current stores on psc node via cli:

On vCenter server

VIA GUI

Login to PSC UI by typing URL https://psc-fqdn/psc and select Certificate Store from left hand side pane and click on store to see a list of stores

certs-23

In windows based psc, vecs-cli is located in directory: C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

To see list of all options available with vecs-cli, run the command with help switch (i have snipped the output)

Once you have a list of all of your current stores, you can output the certificates and private keys in that store by running the following commands: 

Note: I have truncated the certificate information

Creating/Deleting Store

You can create/delete new store using below commands:

 

Grant read/write permissions to users on specific store

List current permissions of a store

Grant write permission to a user on a store

Revoke write permission of a user from a store

Force a refresh of information from vmdir.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)