2V0-622 · Question #29
Which three options are available for replacing vCenter Server Security Certificates? (Choose three.)
The correct answer is A. Replace with Certificates signed by the VMware Certificate Authority. B. Make VMware Certificate Authority an Intermediate Certificate Authority. C. Do not use VMware Certificate Authority, provision your own Certificates.. vCenter Server provides three supported modes for managing TLS certificates: using VMCA-signed certs, making VMCA an intermediate CA chained to an enterprise CA, or bypassing VMCA entirely with custom certificates.
Question
Which three options are available for replacing vCenter Server Security Certificates? (Choose three.)
Options
- AReplace with Certificates signed by the VMware Certificate Authority.
- BMake VMware Certificate Authority an Intermediate Certificate Authority.
- CDo not use VMware Certificate Authority, provision your own Certificates.
- DUse SSL Thumbprint mode.
- EReplace all VMware Certificate Authority issued Certificates with self-signed Certificates.
How the community answered
(23 responses)- A91% (21)
- D4% (1)
- E4% (1)
Why each option
vCenter Server provides three supported modes for managing TLS certificates: using VMCA-signed certs, making VMCA an intermediate CA chained to an enterprise CA, or bypassing VMCA entirely with custom certificates.
Replacing certificates with VMCA-signed ones is the default supported option, where VMCA acts as the root CA and signs all solution and machine certificates in the environment.
Making VMCA an intermediate CA allows an enterprise or third-party root CA to sit above VMCA in the chain, satisfying corporate PKI policies while still leveraging VMCA for internal certificate distribution.
Administrators can fully bypass VMCA and provision all certificates from an external CA, giving complete control over the certificate chain to match enterprise security requirements.
SSL Thumbprint mode is a legacy ESXi host connection mode for bypassing certificate verification, not a certificate replacement strategy for vCenter Server.
Replacing VMCA-issued certificates with self-signed certificates is not a supported or recommended workflow - self-signed certs outside VMCA introduce unmanaged trust anchor issues.
Concept tested: vCenter Server certificate management modes
Source: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-0076A3A6-5D4C-407D-A7B5-9B64AD97CCA3.html
Topics
Community Discussion
No community discussion yet for this question.