nerdexam
Broadcom-VMware

2V0-622 · Question #29

Which three options are available for replacing vCenter Server Security Certificates? (Choose three.)

The correct answer is A. Replace with Certificates signed by the VMware Certificate Authority. B. Make VMware Certificate Authority an Intermediate Certificate Authority. C. Do not use VMware Certificate Authority, provision your own Certificates.. vCenter Server provides three supported modes for managing TLS certificates: using VMCA-signed certs, making VMCA an intermediate CA chained to an enterprise CA, or bypassing VMCA entirely with custom certificates.

Section 1 – Configure and Administer vSphere 6.5 Security

Question

Which three options are available for replacing vCenter Server Security Certificates? (Choose three.)

Options

  • AReplace with Certificates signed by the VMware Certificate Authority.
  • BMake VMware Certificate Authority an Intermediate Certificate Authority.
  • CDo not use VMware Certificate Authority, provision your own Certificates.
  • DUse SSL Thumbprint mode.
  • EReplace all VMware Certificate Authority issued Certificates with self-signed Certificates.

How the community answered

(23 responses)
  • A
    91% (21)
  • D
    4% (1)
  • E
    4% (1)

Why each option

vCenter Server provides three supported modes for managing TLS certificates: using VMCA-signed certs, making VMCA an intermediate CA chained to an enterprise CA, or bypassing VMCA entirely with custom certificates.

AReplace with Certificates signed by the VMware Certificate Authority.Correct

Replacing certificates with VMCA-signed ones is the default supported option, where VMCA acts as the root CA and signs all solution and machine certificates in the environment.

BMake VMware Certificate Authority an Intermediate Certificate Authority.Correct

Making VMCA an intermediate CA allows an enterprise or third-party root CA to sit above VMCA in the chain, satisfying corporate PKI policies while still leveraging VMCA for internal certificate distribution.

CDo not use VMware Certificate Authority, provision your own Certificates.Correct

Administrators can fully bypass VMCA and provision all certificates from an external CA, giving complete control over the certificate chain to match enterprise security requirements.

DUse SSL Thumbprint mode.

SSL Thumbprint mode is a legacy ESXi host connection mode for bypassing certificate verification, not a certificate replacement strategy for vCenter Server.

EReplace all VMware Certificate Authority issued Certificates with self-signed Certificates.

Replacing VMCA-issued certificates with self-signed certificates is not a supported or recommended workflow - self-signed certs outside VMCA introduce unmanaged trust anchor issues.

Concept tested: vCenter Server certificate management modes

Source: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-0076A3A6-5D4C-407D-A7B5-9B64AD97CCA3.html

Topics

#vCenter certificates#VMCA#certificate replacement options#intermediate CA

Community Discussion

No community discussion yet for this question.

Full 2V0-622 Practice