VMware vCenter Certificate Management Default Values

If you have ever replaced VMware vCenter server certificates you will know that there are default values for common SSL/TLS certificate attributes, for example country code and organisation name. By default VMware have their own details for these attributes as shown below –

• Country – US
• E-mail – [email protected]
• Locality – Palo Alto
• Organisational Unit Name – VMware Engineering
• Organisation Name – VMware
• State – California

When you work through a certificate creation process you will find these are the values suggested for your default. The system can also use these values when it self generates or creates for a service/host. Personally I’d rather have values relevant to myself presented each time I work through this or when the system is creating them for me. Let’s take a look at where these values are stored and how we can change them.

I was tempted to show these settings using the classic C# client many of us will have used for years however it really is time to move away from that so let me show you via the current Flash client and the newer HTML5 version followed by our friend PowerShell PowerCLI.

Flash Client

Having selected our vCenter object and clicked the ‘Configure’ button we need to click ‘Advanced Settings’. Entering a filter term will reduce the rather long list of Name/Value pairs to just what we want. In this case the value ‘certmgmt’ will give us just what we need.

If we click the ‘Edit’ button a popup window will appear, again we need to filter the options or you can scroll down – I recommend filtering to make life easy. First we see the default options and then second I have my edited values entered, clicking ‘OK’ will commit these changes.

 

HTML5 Client

The HTML5 interface does not yet appear to offer the ability to edit these values, it simply allows you to view them. Please note you either need to scroll through the list of Key/Value pairs or use the filter option and enter ‘certmgmt’ to display only those values we are interested in. Note that in the HTML5 client the filter option is not a text box but the traditional filter symbol.

 

PowerShell PowerCLI

Finally let’s take a look at the settings via the VMware PowerCLI PowerShell module. There are a few ways you can do this, I’ll give you two examples below followed by the expected output from running one of these commands.

PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name *certmgmt* | Format-Table -AutoSize

PowerCLI C:\> Get-AdvancedSetting -Entity (Get-VC -Server 'BSA-vCenter') | where {$_.Name -like '*certmgmt*'} | Format-Table -AutoSize

Name                                          Value              Type     Description
----                                          -----              ----     -----------
vpxd.certmgmt.certs.cn.country                US                 VIServer Country Name for the ESXi Host Certificates
vpxd.certmgmt.certs.cn.email                  [email protected]    VIServer Email address for the ESXi Host Certificates
vpxd.certmgmt.certs.cn.localityName           Palo Alto          VIServer Locality Name for ESXi Host Certificates
vpxd.certmgmt.certs.cn.organizationalUnitName VMware Engineering VIServer Organizational Unit Name for ESXi Host Certificates
vpxd.certmgmt.certs.cn.organizationName       VMware             VIServer Organization Name for ESXi Host Certificates
vpxd.certmgmt.certs.cn.state                  California         VIServer State Name for ESXi Host Certificates
vpxd.certmgmt.certs.daysValid                 1825               VIServer ESXi Certificate Validity Period (in days)
vpxd.certmgmt.certs.hardThreshold             30                 VIServer ESXi Certificate Management Hard Threshold (in days)
vpxd.certmgmt.certs.minutesBefore             1440               VIServer
vpxd.certmgmt.certs.pollIntervalDays          5                  VIServer ESXi Certificate Validity Check Interval (in days)
vpxd.certmgmt.certs.softThreshold             240                VIServer ESXi Certificate Management Soft Threshold (in days)
vpxd.certmgmt.mode                            vmca               VIServer ESXi Certificate Management Mode

OK so we have our list of values and you can see they are currently set to the defaults. There are many ways we can change the value, again I’ll show you a couple just to give an idea of how things can be done. First off I’ll include the -Verbose and -WhatIf parameters – this won’t actually run the command it will just emulate it and give additional logging output. The second command will actually execute the change resulting in the system prompting for confirmation followed by output demonstrating the change has occurred.

PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name 'vpxd.certmgmt.certs.cn.country' | Set-AdvancedSetting -Value 'GB' -WhatIf -Verbose
 
VERBOSE: 20/07/2017 10:54:39 Set-AdvancedSetting Started execution
What if: Modifying advanced setting 'vpxd.certmgmt.certs.cn.country'.
VERBOSE: 20/07/2017 10:54:39 Set-AdvancedSetting Finished execution

PowerCLI C:\> Get-VC -Server 'BSA-vCenter' | Get-AdvancedSetting -Name 'vpxd.certmgmt.certs.cn.country' | Set-AdvancedSetting -Value 'GB'
 
Perform operation?
Modifying advanced setting 'vpxd.certmgmt.certs.cn.country'.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
 
Name                 Value                Type                 Description
----                 -----                ----                 -----------
vpxd.certmgmt.cer... GB                   VIServer             Country Name for the ESXi H...

 

There are plenty of ways to pipe variables through and make changes to all the settings but I don’t intend to cover that in this post, if you’re interested drop me a message or add a comment below.