nerdexam
Broadcom-VMware

2V0-622 · Question #14

An administrator would like to use the VMware Certificate Authority (VMCA) as an Intermediate Certificate Authority (CA). The first two steps performed are: -Replace the Root Certificate -Replace Mach

The correct answer is A. Replace Solution User Certificates (Intermediate CA) C. Replace the VMware Directory Service Certificate. The VMCA Intermediate CA workflow has a defined sequence; after replacing the Root Certificate and Machine SSL Certificates, the administrator must replace Solution User Certificates (Intermediate CA) and the VMware Directory Service Certificate.

Section 1 – Configure and Administer vSphere 6.5 Security

Question

An administrator would like to use the VMware Certificate Authority (VMCA) as an Intermediate Certificate Authority (CA). The first two steps performed are:

-Replace the Root Certificate -Replace Machine Certificates (Intermediate CA) Which two steps would need to be performed next? (Choose two.)

Options

  • AReplace Solution User Certificates (Intermediate CA)
  • BReplace the VMware Directory Service Certificate (Intermediate CA)
  • CReplace the VMware Directory Service Certificate
  • DReplace Solution User Certificates

How the community answered

(29 responses)
  • A
    79% (23)
  • B
    7% (2)
  • D
    14% (4)

Why each option

The VMCA Intermediate CA workflow has a defined sequence; after replacing the Root Certificate and Machine SSL Certificates, the administrator must replace Solution User Certificates (Intermediate CA) and the VMware Directory Service Certificate.

AReplace Solution User Certificates (Intermediate CA)Correct

Solution User Certificates must be replaced using the Intermediate CA option so that service-to-service authentication certificates are signed by the new intermediate CA and chain back correctly to the updated trust anchor. Skipping this step would leave solution users with certificates not aligned to the new PKI hierarchy.

BReplace the VMware Directory Service Certificate (Intermediate CA)

There is no 'Intermediate CA' variant for replacing the VMware Directory Service Certificate - that step uses a standard replacement procedure separate from the intermediate CA signing path.

CReplace the VMware Directory Service CertificateCorrect

The VMware Directory Service (vmdir) certificate is a special certificate used for LDAP replication and directory authentication, and it has its own dedicated replacement procedure. Unlike machine and solution user certificates, its replacement step does not carry an 'Intermediate CA' designation in the Certificate Manager workflow.

DReplace Solution User Certificates

Replacing Solution User Certificates without the Intermediate CA designation would sign them under the default VMCA root rather than the new intermediate CA, creating an inconsistent and broken certificate chain.

Concept tested: VMCA Intermediate CA certificate replacement workflow order

Source: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-CE52F933-6BF6-4D41-9A26-2909EC57FEE2.html

Topics

#VMCA#intermediate CA#certificate replacement#solution user certificates

Community Discussion

No community discussion yet for this question.

Full 2V0-622 Practice