If you have ever replaced VMware vCenter server certificates you will know that there are default values for common SSL/TLS certificate attributes, for example country code and organisation name. By default VMware have their own details for these attributes as shown below –
- Country – US
- E-mail – [email protected]
- Locality – Palo Alto
- Organisational Unit Name – VMware Engineering
- Organisation Name – VMware
- State – California
When you work through a certificate creation process you will find these are the values suggested for your default. The system can also use these values when it self generates or creates for a service/host. Personally I’d rather have values relevant to myself presented each time I work through this or when the system is creating them for me. Let’s take a look at where these values are stored and how we can change them.
I was tempted to show these settings using the classic C# client many of us will have used for years however it really is time to move away from that so let me show you via the current Flash client and the newer HTML5 version followed by our friend PowerShell PowerCLI.
Flash Client
Having selected our vCenter object and clicked the ‘Configure’ button we need to click ‘Advanced Settings’. Entering a filter term will reduce the rather long list of Name/Value pairs to just what we want. In this case the value ‘certmgmt’ will give us just what we need.
If we click the ‘Edit’ button a popup window will appear, again we need to filter the options or you can scroll down – I recommend filtering to make life easy. First we see the default options and then second I have my edited values entered, clicking ‘OK’ will commit these changes.
HTML5 Client
The HTML5 interface does not yet appear to offer the ability to edit these values, it simply allows you to view them. Please note you either need to scroll through the list of Key/Value pairs or use the filter option and enter ‘certmgmt’ to display only those values we are interested in. Note that in the HTML5 client the filter option is not a text box but the traditional filter symbol.
PowerShell PowerCLI
Finally let’s take a look at the settings via the VMware PowerCLI PowerShell module. There are a few ways you can do this, I’ll give you two examples below followed by the expected output from running one of these commands.
1 | PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name *certmgmt* | Format-Table -AutoSize |
1 | PowerCLI C:\> Get-AdvancedSetting -Entity (Get-VC -Server 'BSA-vCenter') | where {$_.Name -like '*certmgmt*'} | Format-Table -AutoSize |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | Name Value Type Description ---- ----- ---- ----------- vpxd.certmgmt.certs.cn.country US VIServer Country Name for the ESXi Host Certificates vpxd.certmgmt.certs.cn.email vmca@vmware.com VIServer Email address for the ESXi Host Certificates vpxd.certmgmt.certs.cn.localityName Palo Alto VIServer Locality Name for ESXi Host Certificates vpxd.certmgmt.certs.cn.organizationalUnitName VMware Engineering VIServer Organizational Unit Name for ESXi Host Certificates vpxd.certmgmt.certs.cn.organizationName VMware VIServer Organization Name for ESXi Host Certificates vpxd.certmgmt.certs.cn.state California VIServer State Name for ESXi Host Certificates vpxd.certmgmt.certs.daysValid 1825 VIServer ESXi Certificate Validity Period (in days) vpxd.certmgmt.certs.hardThreshold 30 VIServer ESXi Certificate Management Hard Threshold (in days) vpxd.certmgmt.certs.minutesBefore 1440 VIServer vpxd.certmgmt.certs.pollIntervalDays 5 VIServer ESXi Certificate Validity Check Interval (in days) vpxd.certmgmt.certs.softThreshold 240 VIServer ESXi Certificate Management Soft Threshold (in days) vpxd.certmgmt.mode vmca VIServer ESXi Certificate Management Mode |
OK so we have our list of values and you can see they are currently set to the defaults. There are many ways we can change the value, again I’ll show you a couple just to give an idea of how things can be done. First off I’ll include the -Verbose and -WhatIf parameters – this won’t actually run the command it will just emulate it and give additional logging output. The second command will actually execute the change resulting in the system prompting for confirmation followed by output demonstrating the change has occurred.
1 2 3 4 5 | PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name 'vpxd.certmgmt.certs.cn.country' | Set-AdvancedSetting -Value 'GB' -WhatIf -Verbose VERBOSE: 20/07/2017 10:54:39 Set-AdvancedSetting Started execution What if: Modifying advanced setting 'vpxd.certmgmt.certs.cn.country'. VERBOSE: 20/07/2017 10:54:39 Set-AdvancedSetting Finished execution |
1 2 3 4 5 6 7 8 9 | PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name 'vpxd.certmgmt.certs.cn.country' | Set-AdvancedSetting -Value 'GB' Perform operation? Modifying advanced setting 'vpxd.certmgmt.certs.cn.country'. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y Name Value Type Description ---- ----- ---- ----------- vpxd.certmgmt.cer... GB VIServer Country Name for the ESXi H... |
There are plenty of ways to pipe variables through and make changes to all the settings but I don’t intend to cover that in this post, if you’re interested drop me a message or add a comment below.