An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following requirements:
All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).
The solution should minimize the ongoing management overhead of replacing certificates.
Which three actions should the administrator take to ensure that the solution meets corporate policy? (Choose three.)
To ensure that all certificates are trusted by the Enterprise CA and to minimize ongoing management overhead, the administrator should replace the machine SSL certificates and solution user certificates with custom certificates generated from the Enterprise CA. Additionally, the VMware Certificate Authority (VMCA) certificate should be replaced with a custom certificate generated from the Enterprise CA to integrate it into the trusted chain managed by the Enterprise CA. This approach ensures that all certificates are recognized and trusted across the organization, adhering to corporate policy and reducing the need for frequent manual replacements.
BDE is the correct answer.
You can use the following vSphere Certificate Manager options: Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Replace Machine SSL Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) Replace Solution User Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1
its CDF. This is known as the hybrid model. The key to this question is The solution should minimize the ongoing management overhead of replacing certificates.
I think CDF is the correct answer. You can issue a Certificate for the VMCA, making the VMCA an Intermediate CA in the process. Then, issue the rest of the certs using the VMCA to simplify the renewal process. https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1 ("Making VMCA an Intermediate Certificate Authority" approach)
CDF. As others have stated, this accomplishes the goal of easy certificate deployment, and since your VMCA cert is issued by the Company CA, all certs issued by the VMCA will be in that chain.
have you taken the test? Were the same questions from here on it?
BDE for Intermediate CA. Request A: All certificates from Company CA Request B: less overhead to change certificate. The Hybrid Scenario change only the machine certifiace for the VMCA but not the certifaces for ESXi Hosts. You can only fulfill the requirement with less overhaul. URL: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1
CDF, replacing VMCA certificate and let VMCA manage other certificates
BDE seems to be correct
This one line gives you the answer: All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).
Selected this based on these are the only options using the External Enterprise CA.
BDF(Hybrid Approach) https://core.vmware.com/resource/vsphere-certificate-management#section2
I had a question like this, but with two options.
View the table in the link. It talks about using subordinate CA apporach. https://blogs.vmware.com/vsphere/files/2017/01/Hybrid-PWT-Table.png https://blogs.vmware.com/vsphere/2017/01/walkthrough-hybrid-ssl-certificate-replacement.html
have you taken the test? Were the same questions from here on it?
Why not C,D,F; replace VMCA cert with EA cert, then recreate all other certs in VMCA?
Hybird mode should be only replace machine SSL signed by Enterprise CA. The rest still handling by VMCA.
CDF is the correct thing to do after all. Looking at this article: https://openssl-ca.readthedocs.io/en/latest/create-the-intermediate-pair.html it is possible to create intermediate certificate that can sign certificates on behalf of the root CA. This vmware article makes it possible https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0.html#GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0
Option C is incorrect because replacing the machine SSL certificates with trusted certificates generated from the VMCA will not ensure that the certificates are trusted by the Enterprise CA. Option F is incorrect because replacing the solution user certificates with trusted certificates generated from the VMCA will not ensure that the certificates are trusted by the Enterprise CA. Reference: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-A2A4371A-B888-404C-B23F-C422A8C40F54.html
that link is dead, but this seems to suggest CDF, no? https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1