vSphere Integrated Containers Certificate Reference
vSphere Integrated Containers authenticates connections to its various components by using TLS certificates. In some cases, the certificates are always automatically generated and self-signed. In other cases, you have the option of providing custom certificates.
This topic provides a reference of all of the certificates that vSphere Integrated Containers uses.
Component | Certificate Type | Purpose | Used By |
---|---|---|---|
vCenter Server or ESXi host | Self-signed or custom | Required for installation of the vSphere Client plug-ins and deployment and management of virtual container hosts (VCHs). See Obtain vSphere Certificate Thumbprints. | vSphere administrator |
vSphere Integrated Containers Management Portal | Self-signed or custom | Authenticates connections from browsers to vSphere Integrated Containers Management Portal. If you use custom certificates, vSphere Integrated Containers Management Portal requires you to provide the TLS private key as an unencrypted PEM-encoded PKCS#8-formatted file. For information about how to convert certificates to PKCS8 format, see Converting Keys for Use with vSphere Integrated Containers. For information about how to obtain auto-generated appliance certificates, see Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates and Verify and Trust vSphere Integrated Containers Appliance Certificates. | Cloud and DevOps admininistrators, developers |
vSphere Integrated Containers Registry | Self-signed | Authenticates connections to vSphere Integrated Containers Registry instances from Docker clients, replication of projects between registry instances, and registration of additional registry instances in the management portal. For information about how to obtain the registry certificate, see Configure System Settings. | Cloud and DevOps admininistrators, developers |
vSphere Integrated Containers file server | Self-signed or custom | Authenticates connections to the Getting Started page, downloads of vSphere Integrated Containers Engine binaries, and the installation of vSphere Client plug-ins. For information about how to obtain auto-generated appliance certificates, see Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates and Verify and Trust vSphere Integrated Containers Appliance Certificates. | vSphere administrator, Cloud and DevOps admininistrators, developers |
VCH | None, self-signed, or custom | Authenticates connections from Docker clients to VCHs. If you use custom certificates, vic-machine requires you to supply each X.509 certificate in a separate file, using PEM encoding. PKCS#7 is not supported. For information about how to convert certificates to PEM format, see Converting Certificates for Use with vSphere Integrated Containers. For general information about how vic-machine uses certificates, see Virtual Container Host Security. |
vSphere administrator, Cloud and DevOps admininistrators, developers |
VCH Administration Portal | None, self-signed, or custom | Authenticates connections from browsers to the administration portals of individual VCHs. See VCH Administration Portal. | vSphere administrator |
Converting Keys for Use with vSphere Integrated Containers Management Portal
To convert a PKCS#1 key to PKCS8 format for use with vSphere Integrated Containers Management Portal, make sure there is no whitespace at the end of the key and run one of the following commands:
- PEM-encoded PKCS#1 to PEM-encoded PKCS#8
$openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.der -out key.pkcs8.pem
- DER-encoded PKCS#1 to PEM-encoded PKCS#8
$ openssl pkcs8 -topk8 -inform DER -outform PEM -nocrypt -in key.der -out key.pkcs8.pem
- DER-encoded PKCS#8 to PEM-encoded PKCS#8
$ openssl pkcs8 -inform DER -outform PEM -nocrypt -in key.pkcs8.der -out key.pkcs8.pem
Converting Certificates for Use with vSphere Integrated Containers Engine
To unwrap a PKCS#7 key for use with vic-machine
, run the following command:
$ openssl pkcs7 -print_certs -in cert_name.pem -out chain.pem