Certificate lifecycle management is not something anyone looks forward to, it is time consuming and usually not automated. However, it is a necessity for many of our customers. The process gets even more challenging when needing replace certificates across multiple VMware products, not only careful orchestration but also properly reestablishing trust between product just adds another layer of operational complexity. Within the Integrated System Business Unit (ISBU) at VMware, which produces both the VMware Validated Design (VVD) and VMware Cloud Foundation (VCF), the team has been working on a way to simplify certificate management, not only for individual products (working with product teams) but also holistically at the VMware SDDC level.
This initially started with the development of a tool called Certificate Generation Utility (CertGen), which helps customers generate new certificates for various products within the VMware SDDC. Although it was developed for the VVD, any VMware customer who consumed products within the VVD, could also leverage this tool. We all know certificate generation can be a pain, but it is not as challenging or as complex as the actual certificate replacement process itself which is also fully documented by the VVD team here.
This is where the new Fling comes in, the SDDC Certificate Tool, which automates the manual steps outlined by the VVD and helps customers easily replace certificates that they have created (CertGen or another process) and automatically orchestrates this across the different products within the SDDC. The tool is command-line driven and uses a JSON configuration file which can contain all or a subset of the VMware SDDC products, which is great for supporting different environments and allows for easy source control. Extensive pre-checks are also built into the tool to validate the certificates themselves (e.g. expiry, chain validation, etc) also also preventing miss-match of information (e.g. SAN entries, number of nodes, etc) which then get compared against your actual environment before any changes are applied. The JSON also contains a section referred to as Service Accounts, which is merely other VMware product accounts that the tool supports to reestablish trust after replacing the certificate for given product.
One thing to be aware of for VCF customers, is that tool is already integrated into SDDC Manager as it sits outside of all the VMware products and is the key infrastructure for providing certificate lifecycle management for the VCF solution.
Here is a quick video of how the certificate replacement tool works:
The Fling currently supports the following products:
|Product||Minimum Version||Maximum Version|
|Platform Services Controller||6.0 U2||6.7|
|vCenter Server||6.0 U2||6.7|
|vRealize Log Insight||3.6||4.6|
|vRealize Operations Manager||6.3||6.7|
|vRealize Business for Cloud||7.1||7.4|
Note: One thing you may notice above is that ESXi is currently not supported, the reason for this is primarily due to the duration it takes to lifecycle certificates for an ESXi host as it requires evacuating VMs off the host and this can take a significant amount of time compared to replacing the certificates for all other products. If this is something you would like to see, feel free to leave a comment and the type of workflow you would like to see.
If you have any feedback or enhancements you would like to suggest, please leave a comment on the Fling page which is monitored by the developers.