Exam 2V0-21.23 topic 1 question 16 discussion

BDE is the correct answer.

You can use the following vSphere Certificate Manager options: Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Replace Machine SSL Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) Replace Solution User Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-7F63F6D3-67E5-4C8B-B5EF-5C67F71E82B4.html

Today I took the exam and I got the following variant to this question: An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following new corporate security policy: - All solutions must only use certificates signed by the Enterprise Certificate Authority (CA). - No intermediate CAs are allowed in the certificate chain. Which two actions should the administrator take to ensure the solution meets corporate policy? (Choose two.) A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.

An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following new corporate security policy: - All solutions must only use certificates signed by the Enterprise Certificate Authority (CA). - No intermediate CAs are allowed in the certificate chain. Which two actions should the administrator take to ensure the solution meets corporate policy? (Choose two.) A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.

A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.

today I took the exam and I got the following variant to this question:

Selected this based on these are the only options using the External Enterprise CA.

This one line gives you the answer: All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).

Hybird mode should be only replace machine SSL signed by Enterprise CA. The rest still handling by VMCA.

Selected this based on these are the only options using the External Enterprise CA.

CDF is the correct thing to do after all. Looking at this article: https://openssl-ca.readthedocs.io/en/latest/create-the-intermediate-pair.html it is possible to create intermediate certificate that can sign certificates on behalf of the root CA. This vmware article makes it possible https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0.html#GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0

BDF(Hybrid Approach) https://core.vmware.com/resource/vsphere-certificate-management#section2

I had a question like this, but with two options.

I think CDF is the correct answer. You can issue a Certificate for the VMCA, making the VMCA an Intermediate CA in the process. Then, issue the rest of the certs using the VMCA to simplify the renewal process. https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1 ("Making VMCA an Intermediate Certificate Authority" approach)

View the table in the link. It talks about using subordinate CA apporach. https://blogs.vmware.com/vsphere/files/2017/01/Hybrid-PWT-Table.png https://blogs.vmware.com/vsphere/2017/01/walkthrough-hybrid-ssl-certificate-replacement.html

CDF. As others have stated, this accomplishes the goal of easy certificate deployment, and since your VMCA cert is issued by the Company CA, all certs issued by the VMCA will be in that chain.