vSphere Integrated Containers Certificate Reference

vSphere Integrated Containers authenticates connections to its various components by using TLS certificates. In some cases, the certificates are always automatically generated and self-signed. In other cases, you have the option of providing custom certificates.

This topic provides a reference of all of the certificates that vSphere Integrated Containers uses.

Component Certificate Type Purpose Used By
vCenter Server or ESXi host Self-signed or custom Required for installation of the vSphere Client plug-ins and deployment and management of virtual container hosts (VCHs). See Obtain vSphere Certificate Thumbprints. vSphere administrator
vSphere Integrated Containers Management Portal Self-signed or custom Authenticates connections from browsers to vSphere Integrated Containers Management Portal. If you use custom certificates, vSphere Integrated Containers Management Portal requires you to provide the TLS private key as an unencrypted PEM-encoded PKCS#8-formatted file. For information about how to convert certificates to PKCS8 format, see Converting Keys for Use with vSphere Integrated Containers. For information about how to obtain auto-generated appliance certificates, see Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates and Verify and Trust vSphere Integrated Containers Appliance Certificates. Cloud and DevOps admininistrators, developers
vSphere Integrated Containers Registry Self-signed Authenticates connections to vSphere Integrated Containers Registry instances from Docker clients, replication of projects between registry instances, and registration of additional registry instances in the management portal. For information about how to obtain the registry certificate, see Configure System Settings. Cloud and DevOps admininistrators, developers
vSphere Integrated Containers file server Self-signed or custom Authenticates connections to the Getting Started page, downloads of vSphere Integrated Containers Engine binaries, and the installation of vSphere Client plug-ins. For information about how to obtain auto-generated appliance certificates, see Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates and Verify and Trust vSphere Integrated Containers Appliance Certificates. vSphere administrator, Cloud and DevOps admininistrators, developers
VCH None, self-signed, or custom Authenticates connections from Docker clients to VCHs. If you use custom certificates, vic-machine requires you to supply each X.509 certificate in a separate file, using PEM encoding. PKCS#7 is not supported. For information about how to convert certificates to PEM format, see Converting Certificates for Use with vSphere Integrated Containers. For general information about how vic-machine uses certificates, see Virtual Container Host Security. vSphere administrator, Cloud and DevOps admininistrators, developers
VCH Administration Portal None, self-signed, or custom Authenticates connections from browsers to the administration portals of individual VCHs. See VCH Administration Portal. vSphere administrator

Converting Keys for Use with vSphere Integrated Containers Management Portal

To convert a PKCS#1 key to PKCS8 format for use with vSphere Integrated Containers Management Portal, make sure there is no whitespace at the end of the key and run one of the following commands:

  • PEM-encoded PKCS#1 to PEM-encoded PKCS#8
    $openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.der -out key.pkcs8.pem
  • DER-encoded PKCS#1 to PEM-encoded PKCS#8
    $ openssl pkcs8 -topk8 -inform DER -outform PEM -nocrypt -in key.der -out key.pkcs8.pem 
  • DER-encoded PKCS#8 to PEM-encoded PKCS#8
    $ openssl pkcs8 -inform DER -outform PEM -nocrypt -in key.pkcs8.der -out key.pkcs8.pem

Converting Certificates for Use with vSphere Integrated Containers Engine

To unwrap a PKCS#7 key for use with vic-machine, run the following command:

$ openssl pkcs7 -print_certs -in cert_name.pem -out chain.pem

results matching ""

    No results matching ""