Obtaining Server Certificates

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over SSL connections between server and client systems. When a client application initiates an SSL session with the server, the server sends its certificate to the client application, which checks the X.509 certificate against a list of known Certificate Authorities (CAs) to verify the authenticity of the certificate. The client then uses the server’s public key contained in the X.509 certificate to generate a random symmetric key, which it uses to encrypt all subsequent communications.

The installers for ESXi and vCenter Server create server certificates during the process of installation. For ESXi systems, the certificate name matches the DNS name of the server. For vCenter Server systems, the certificate name is VMware. Because these certificates are not signed by an official root CA, you must obtain the server certificate from each server that you plan to target with your client application and store it locally.

For example, if you are creating a client application to run against the vCenter Server and an ESXi system in standalone mode, you must obtain both the vCenter Server certificate and the ESXi certificate. If your application is aimed solely at the vCenter Server that might manage any number of ESXi systems, you must obtain the certificate only from the vCenter Server.

You can obtain the certificates in one of the following ways:

  • Developers working on the Microsoft Windows platform can use the certificate-handling capabilities of the vSphere Client from the development workstation to connect to each ESXi or vCenter Server and accept the certificate into the local cache and export the certificate. See Obtain Certificates Using the vSphere Web Client.
  • Developers with access privileges on the target server systems can use a secure shell client utility (SCP, WinSCP, or SSH) to connect directly to the ESXi or vCenter Server and copy the certificates directly from the server to the development platform.