Obtaining Server Certificates

VMware products use standard X.509 version 3 (X.509v3) certificates to encrypt session information sent over SSL connections between server and client systems. When a client application initiates an SSL session with the server, the server sends its certificate to the client application, which checks the X.509 certificate against a list of known Certificate Authorities (CAs) to verify the authenticity of the certificate. The client then uses the server’s public key contained in the X.509 certificate to generate a random symmetric key, which it uses to encrypt all subsequent communications.

The installers for ESX, ESXi, and vCenter Server create server certificates during the process of installation. For ESX and ESXi systems, the certificate name matches the DNS name of the server. For vCenter Server systems, the certificate name is VMware. Because these certificates are not signed by an official root CA, you must obtain the server certificate from each server that you plan to target with your client application and store it locally.

For example, if you are creating a client application to run against the vCenter Server and an ESX system in standalone mode, you must obtain both the vCenter Server certificate and the ESX certificate. If your application is aimed solely at the vCenter Server that might manage any number of ESX systems, you must obtain the certificate only from the vCenter Server.

You can obtain the certificates in one of the following ways:

■

Developers working on the Microsoft Windows platform can use the certificate-handling capabilities of the vSphere Client from the development workstation to connect to each ESX, ESXi, or vCenter Server and accept the certificate into the local cache and export the certificate. See Obtain Certificates Using the vSphere Web Client.

■	Developers with access privileges on the target server systems can use a secure shell client utility (SCP, WinSCP, or SSH) to connect directly to the ESX, ESXi, or vCenter Server and copy the certificates directly from the server to the development platform.

Obtain Certificates Using the vSphere Web Client

Use the vSphere Web Client to obtain certificates, so you don’t have to install another client on your development workstation. You can download the VMware Certificate Authority root and leaf certificates and then add them to the operating system root store of the system from which you are connecting to the vCenter Server system.

To obtain server certificates:

1	From a client system Web browser, go to the URL of the vCenter Server system or the vCenter Server Virtual Appliance.

2	Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.

3	Change the extension of the file to .zip.

4	The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).

5	Extract the contents of the ZIP file.

6	The result is a .certs folder that contains two types of files. Files with a number as the extension (.0, .1, and so on) are root certificates. Files with an extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate.

7	Install the certificate files as trusted certificates by following the process that is appropriate for your operating system.

Firefox has its own trusted roots store and does not use the operating system store. If you are working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.

After you obtain the certificate from each target server, follow the other setup steps appropriate for your programing language. For C# developers, see Setting Up for C# Development. For Java developers, see Set Up for Java Development.

For the latest information about certificates, see the vSphere Security guide at http://www.vmware.com/support/pubs/.

Updating the Active Directory Group Policy to Accept Certificates

If you have a configuration where the VMware Certificate Authority is an intermediate Certificate Authority, a Custom Certificate, or another certificate that is not trusted in your environment, and:

■	you have a Web browser that uses the operating certificate store on Windows (such as Internet Explorer and Google Chrome)

■	you can access the vCenter Server from several different machines

you can import the root certificate into the group policy of your Active Directory environment to make the certificates trusted in your Active Directory domain.

To import the root certificate

1	Go to the URL of the vCenter Server system or the vCenter Server Virtual Appliance using a client system web browser.

2	Click the Download trusted root CA certificates link at the bottom of the grey box on the right and download the file.

3	Change the extension of the file to .zip.

4	The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS)

5	Extract the ZIP file.

6	The result is a .certs folder that contains two types of files. Files with a number extension (.0, .1, and so on) are root certificates. Files with a extension that starts with an r (.r0,. r1, and so on) are CRL files associated with a certificate.

7	Open the Active Directory Group Policy Management Editor.

8	Open Public Key Policies and select Intermediate Certification Authorities.

9	Add the certificate file or files that you downloaded.

10	From your Windows command prompt, run gpupdate /force to force an update.

Firefox has its own trusted roots store and does not use the operating system store. If you are working with Firefox, download the certificate as described above, and then select Tools > Options, click Advanced, and click Certificates to import the certificate into Firefox.