Configure and manage VMware Endpoint Certificate Store

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.

2: Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)

This store contains all of your trusted root certificates.

3: Solution User Stores 

There are five solution users in vSphere 6 –

  • Machine
  • vpxd
  • vpxd-extensions
  • vSphere web client

VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. Solution user certificates are used for authentication with vCenter Single Sign-OnvCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes. 

  • The machine endpoint is used by the logging service, component manager, and license server.
  • The vpxd soltuion user is for vCenter Server and is used to authenticate to vCenter Single Sign-On.
  • The vpxd-extensions solution user is used by Auto Deploy and Inventory Service.
  • vsphere-webclient solution is used for the vSphere Web Client.

4: BACKUP_STORE

This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.

Other Stores

Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base artoc;e instructs you to do so.

Listing VECS Store

To see a list of your current stores on psc node via cli:

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
BACKUP_STORE

On vCenter server

vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
SMS
BACKUP_STORE

VIA GUI

Login to PSC UI by typing URL https://psc-fqdn/psc and select Certificate Store from left hand side pane and click on store to see a list of stores

certs-23

In windows based psc, vecs-cli is located in directory: C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe

To see list of all options available with vecs-cli, run the command with help switch (i have snipped the output)

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli help
Usage: vecs-cli { arguments }

Arguments:

store create --name <name>
 [--server <server-name>]
 [--upn <user-name>]
 store list
 [--server <server-name>]
 [--upn <user-name>]
 store delete --name <name> [ --password <password> ]
 [--server <server-name>]
 [--upn <user-name>]
 [-y]
 store permission --name <name>
 --user <username>
 --grant|--revoke read|write
 store get-permissions --name <name>
 [--server <server-name>]
 [--upn <user-name>]

Once you have a list of all of your current stores, you can output the certificates and private keys in that store by running the following commands: 

Note: I have truncated the certificate information

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine --alias machine
-----BEGIN CERTIFICATE-----
MIIEJjCCAw6gAwIBAgIJAMkPi6wign0tMA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD
VQQGEwJVUzEUMBIGCgmSJomT8ixkARkWBGFsZXgxEzARBgoJkiaJk/IsZAEZFgNs
YWIxEzARBgNVBAgTCkNhbGlmb3JuaWExGTAXBgNVBAoTEHBzYzAyLmFsZXgubG9j

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store machine --alias machine
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDWkFYZRVujeIGE
XhAi6tndg1XYxmlG1SLgDPjP25BoVz5cFz9WkBs6iO15N4eio3BUrLykOUyMsHQ9
Ne8fzQzNJOSTFNgVXqKyULNb8wJ8YOBXgKt828pi4oLONhpxiUU9J2y8nGNvHBmG

Creating/Deleting Store

You can create/delete new store using below commands:

 

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store create --name Test-Store
Successfully created store [Test-Store]

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
BACKUP_STORE
Test-Store

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store delete --name Test-Store
Warning: This operation will delete store [Test-Store]
Do you wish to continue? Y/N [N]
Y
Successfully deleted store [Test-Store]

Grant read/write permissions to users on specific store

List current permissions of a store

psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name machine
PERMISSIONS FOR STORE: [machine]
OWNER : root
USER ACCESS
cm read

Grant write permission to a user on a store

/usr/lib/vmware-vmafd/bin/vecs-cli store permission --name store-name --user username --grant write

Revoke write permission of a user from a store

/usr/lib/vmware-vmafd/bin/vecs-cli store permission --name store-name --user username --revoke write

Force a refresh of information from vmdir.

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable :)