nerdexam
Broadcom-VMware

2V0-621 · Question #244

An administrator is implementing a vSphere 6.x environment containing one vCenter and five ESXi hosts. The administrator has just finished deploying the vCenter Server appliance with an embedded Platf

The correct answer is A. Replace the VMCA root certificate before adding the ESXi hosts to vCenter Server.. Replacing the VMCA root certificate before adding ESXi hosts ensures all hosts automatically receive certificates signed by the new root, requiring the least administrative effort.

Section 1 – Configure and Administer vSphere 6.x Security

Question

An administrator is implementing a vSphere 6.x environment containing one vCenter and five ESXi hosts. The administrator has just finished deploying the vCenter Server appliance with an embedded Platform Services Controller (PSC) and need to ensure that default security certificates within the vSphere 6.x environment are replaced with new certificates. What should the administrator do to complete this task the least administrative effort?

Options

  • AReplace the VMCA root certificate before adding the ESXi hosts to vCenter Server.
  • BCreate ESXi host security certificates using the SSL. Thumbprint mode to ensure consistency
  • CAdd the ESXi hosts to vCenter Server before updating the VMCA root certificate on the PSC.
  • DMake VMCA an Intermediate Certificate Authority to ensure each added ESXi hosts receives

How the community answered

(33 responses)
  • A
    67% (22)
  • B
    9% (3)
  • C
    3% (1)
  • D
    21% (7)

Why each option

Replacing the VMCA root certificate before adding ESXi hosts ensures all hosts automatically receive certificates signed by the new root, requiring the least administrative effort.

AReplace the VMCA root certificate before adding the ESXi hosts to vCenter Server.Correct

When the VMCA root certificate is replaced first, every ESXi host added to vCenter Server afterward automatically receives a certificate signed by the updated VMCA root. This eliminates the need to manually re-issue certificates for each host post-addition, making it the lowest-effort approach when building a new vSphere environment.

BCreate ESXi host security certificates using the SSL. Thumbprint mode to ensure consistency

SSL Thumbprint mode is a legacy fallback mechanism that does not leverage VMCA-signed certificates and does not ensure consistent PKI-based security across the environment.

CAdd the ESXi hosts to vCenter Server before updating the VMCA root certificate on the PSC.

Adding hosts before updating the VMCA root means all hosts initially receive certs from the old VMCA root, requiring a separate certificate renewal operation for each host afterward - increasing administrative effort.

DMake VMCA an Intermediate Certificate Authority to ensure each added ESXi hosts receives

Making VMCA an Intermediate CA requires integrating with an enterprise CA, submitting CSRs, and distributing new root trust chains - significantly more administrative effort than a simple VMCA root replacement.

Concept tested: VMCA root certificate replacement order for minimal effort

Source: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-A2D4F1A0-E61C-4E8B-AC41-B93C8AD497FC.html

Topics

#VMCA#certificate replacement#PSC#SSL certificates

Community Discussion

No community discussion yet for this question.

Full 2V0-621 Practice