VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.
VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.
VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.
VECS Default Stores
1: Machine SSL Store (MACHINE_SSL_CERT)
This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.
2: Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)
This store contains all of your trusted root certificates.
3: Solution User Stores
There are five solution users in vSphere 6 –
- Machine
- vpxd
- vpxd-extensions
- vSphere web client
VECS includes one store for each solution user. The subject of each solution user certificate must be unique, for example, the machine certificate cannot have the same subject as the vpxd certificate. Solution user certificates are used for authentication with vCenter Single Sign-On. vCenter Single Sign-On checks that the certificate is valid, but does not check other certificate attributes.
- The machine endpoint is used by the logging service, component manager, and license server.
- The vpxd solution user is for vCenter Server and is used to authenticate to vCenter Single Sign-On.
- The vpxd-extensions solution user is used by Auto Deploy and Inventory Service.
- vsphere-webclient solution is used for the vSphere Web Client.
4: BACKUP_STORE
This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.
Other Stores
Other stores might be added by solutions. For example, the Virtual Volumes solution adds an SMS store. Do not modify the certificates in those stores unless VMware documentation or a VMware Knowledge Base artoc;e instructs you to do so.
Listing VECS Store
To see a list of your current stores on psc node via cli:
1 2 3 4 5 6 7 |
psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vsphere-webclient BACKUP_STORE |
On vCenter server
1 2 3 4 5 6 7 8 9 |
vcentersrv02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vsphere-webclient vpxd vpxd-extension SMS BACKUP_STORE |
VIA GUI
Login to PSC UI by typing URL https://psc-fqdn/psc and select Certificate Store from left hand side pane and click on store to see a list of stores
In windows based psc, vecs-cli is located in directory: C:Program FilesVMwarevCenter Servervmafddvecs-cli.exe
To see list of all options available with vecs-cli, run the command with help switch (i have snipped the output)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli help Usage: vecs-cli { arguments } Arguments: store create --name <name> [--server <server-name>] [--upn <user-name>] store list [--server <server-name>] [--upn <user-name>] store delete --name <name> [ --password <password> ] [--server <server-name>] [--upn <user-name>] [-y] store permission --name <name> --user <username> --grant|--revoke read|write store get-permissions --name <name> [--server <server-name>] [--upn <user-name>] |
Once you have a list of all of your current stores, you can output the certificates and private keys in that store by running the following commands:
Note: I have truncated the certificate information
1 2 3 4 5 6 7 8 9 10 11 |
psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine --alias machine -----BEGIN CERTIFICATE----- MIIEJjCCAw6gAwIBAgIJAMkPi6wign0tMA0GCSqGSIb3DQEBCwUAMIGGMQswCQYD VQQGEwJVUzEUMBIGCgmSJomT8ixkARkWBGFsZXgxEzARBgoJkiaJk/IsZAEZFgNs YWIxEzARBgNVBAgTCkNhbGlmb3JuaWExGTAXBgNVBAoTEHBzYzAyLmFsZXgubG9j psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store machine --alias machine -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDWkFYZRVujeIGE XhAi6tndg1XYxmlG1SLgDPjP25BoVz5cFz9WkBs6iO15N4eio3BUrLykOUyMsHQ9 Ne8fzQzNJOSTFNgVXqKyULNb8wJ8YOBXgKt828pi4oLONhpxiUU9J2y8nGNvHBmG |
Creating/Deleting Store
You can create/delete new store using below commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store create --name Test-Store Successfully created store [Test-Store] psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vsphere-webclient BACKUP_STORE Test-Store psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store delete --name Test-Store Warning: This operation will delete store [Test-Store] Do you wish to continue? Y/N [N] Y Successfully deleted store [Test-Store] |
Grant read/write permissions to users on specific store
List current permissions of a store
1 2 3 4 5 |
psc02:~ # /usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name machine PERMISSIONS FOR STORE: [machine] OWNER : root USER ACCESS cm read |
Grant write permission to a user on a store
1 |
/usr/lib/vmware-vmafd/bin/vecs-cli store permission --name store-name --user username --grant write |
Revoke write permission of a user from a store
1 |
/usr/lib/vmware-vmafd/bin/vecs-cli store permission --name store-name --user username --revoke write |
Force a refresh of information from vmdir.
1 |
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh |
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable