ExamTopics Logo
Mail Us[email protected]
Menu
Vmware Discussions
exam questions

Exam 2V0-21.23 All Questions

View all questions & answers for the 2V0-21.23 exam
Go to Exam

Exam 2V0-21.23 topic 1 question 16 discussion

Actual exam question from VMware's 2V0-21.23
Question #: 16
Topic #: 1
[All 2V0-21.23 Questions]

An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following requirements:
All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).
The solution should minimize the ongoing management overhead of replacing certificates.
Which three actions should the administrator take to ensure that the solution meets corporate policy? (Choose three.)

  • A. Replace the VMware Certificate Authority (VMCA) certificate with a self-signed certificate generated from the VMCA.
  • B. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.
  • C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA).
  • D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA.
  • E. Replace the solution user certificates with custom certificates generated from the Enterprise CA.
  • F. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA).
Show Suggested Answer Hide Answer
Suggested Answer: CDF 🗳️
by michael24 at May 31, 2023, 12:31 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
michael24
Highly Voted 2 years, 2 months ago
BDE is the correct answer.
upvoted 17 times
VMWare_Admin
6 months ago
You didn't understand the concept of how to make VMCA an intermediate CA and ensure that from vSphere you can renew certificates, making them trusted by your private Enterprise CA. This is the goal of the question: 1 - "All certificates should use certificates trusted by the Enterprise Certificate Authority (CA)" → The certificates will still be trusted since VMCA is an intermediate CA of the Enterprise CA. 2 - "The solution should minimize the ongoing management overhead of replacing certificates." → This is the key point of the question because the certificates will be renewable from vSphere ! Answering the way you suggest, you would then have to manually replace the certificates one by one as they are about to expire, and that is not the goal of the question. So the correct answer is CDF! Since you're putting this option first, you're creating a lot of entropy! 😜
upvoted 4 times
Pina79
2 weeks, 6 days ago
Totally agreed! BDE answer cause overheads, also with BDE you're not delagating vcenter to manage anything, so 3rd party system involved = more work
upvoted 1 times
...
...
...
DeeTeeM
Highly Voted 1 year, 10 months ago
Selected Answer: CDF
You can use the following vSphere Certificate Manager options: Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates Replace Machine SSL Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) Replace Solution User Certificate with VMCA Certificate (multi-node enhanced linked mode deployment) https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-4469A6D3-048A-471C-9CB4-518A15EA2AC0.html#making-vmca-an-intermediate-certificate-authority-1
upvoted 9 times
...
ad9eb84
Most Recent 3 weeks, 3 days ago
Selected Answer: BDE
My opinion and confirmed via Copilot.
upvoted 1 times
...
clarbog
2 months, 2 weeks ago
Selected Answer: BDE
All certificates should use certificates trusted by the Enterprise Certificate Authority (CA). Plain and simple certificates form VMCA are not created by CA. B, D, E..
upvoted 1 times
...
pazzi76
5 months ago
Selected Answer: BDE
Gemini AI says: In essence: Replacing the VMCA root certificate (D) changes who issues certificates going forward. Options B and E ensure that existing certificates are replaced with new ones issued by the correctly configured VMCA.
upvoted 1 times
...
NahIgotPride
9 months, 3 weeks ago
Selected Answer: CDF
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-7F63F6D3-67E5-4C8B-B5EF-5C67F71E82B4.html
upvoted 1 times
...
Rospi
10 months, 3 weeks ago
Today I took the exam and I got the following variant to this question: An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following new corporate security policy: - All solutions must only use certificates signed by the Enterprise Certificate Authority (CA). - No intermediate CAs are allowed in the certificate chain. Which two actions should the administrator take to ensure the solution meets corporate policy? (Choose two.) A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.
upvoted 2 times
amorcle
9 months, 2 weeks ago
B and E because No intermediate CAs are allowed in the certificate chain.
upvoted 1 times
...
nocenta
9 months, 2 weeks ago
Confirmed, I took the exam recently and there are 5 options, the ones Rospi wrote, and two answers to give
upvoted 1 times
...
...
Rospi
10 months, 3 weeks ago
An administrator is tasked with configuring certificates for a VMware software-defined data center (SDDC) based on the following new corporate security policy: - All solutions must only use certificates signed by the Enterprise Certificate Authority (CA). - No intermediate CAs are allowed in the certificate chain. Which two actions should the administrator take to ensure the solution meets corporate policy? (Choose two.) A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.
upvoted 1 times
...
Rospi
10 months, 3 weeks ago
A. Replace the solution user certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). B. Replace the solution user certificates with custom certificates generated from the Enterprise CA. C. Replace the machine SSL certificates with trusted certificates generated from the VMware Certificate Authority (VMCA). D. Replace the VMware Certificate Authority (VMCA) certificate with a custom certificate generated from the Enterprise CA. E. Replace the machine SSL certificates with custom certificates generated from the Enterprise CA.
upvoted 1 times
...
Rospi
10 months, 3 weeks ago
today I took the exam and I got the following variant to this question:
upvoted 1 times
...
Rospi
11 months ago
Selected Answer: BDE
Selected this based on these are the only options using the External Enterprise CA.
upvoted 2 times
...
HenryDCase
1 year, 1 month ago
Selected Answer: BDE
This one line gives you the answer: All certificates should use certificates trusted by the Enterprise Certificate Authority (CA).
upvoted 5 times
...
DCT
1 year, 2 months ago
Selected Answer: ACF
Hybird mode should be only replace machine SSL signed by Enterprise CA. The rest still handling by VMCA.
upvoted 1 times
...
MalGil
1 year, 2 months ago
Selected Answer: BDE
Selected this based on these are the only options using the External Enterprise CA.
upvoted 3 times
...
elekgeek
1 year, 6 months ago
CDF is the correct thing to do after all. Looking at this article: https://openssl-ca.readthedocs.io/en/latest/create-the-intermediate-pair.html it is possible to create intermediate certificate that can sign certificates on behalf of the root CA. This vmware article makes it possible https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0.html#GUID-5FE583A2-3737-4B62-A905-5BB38D479AE0
upvoted 2 times
...
vaaws
1 year, 8 months ago
BDF(Hybrid Approach) https://core.vmware.com/resource/vsphere-certificate-management#section2
upvoted 2 times
...
fabianovidalrocha
1 year, 8 months ago
I had a question like this, but with two options.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel