5.6
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
2. Type the following command to convert the x509 certificate file to a file-based certificate store in the
named SPC file.
cert2spc <collector-cert-name>.cer <collector-cert-name>.spc
Example
cert2spc "Collector Certificate BBBBBB.cer" "Collector Certificate
BBBBBB.spc"
3. Type the following command to export the file-based certificate store, that contains the certificate, and
the private key in the key file to a PFX file.
pvkimprt -pfx <collector-cert-name>.spc <collector-cert-key-file>
This launches the Certificate Export Wizard. Select Yes, and export the private key. Keep the PFX
format. Clear all of the check boxes. Optionally, choose a password for secure transport of the file
(recommended).
Example
vkimprt -pfx "CM Collector Certificate BBBBBB.spc" "CM Collector
Certificate BBBBBB.pvk"
4. Remove your temporary files, especially the key file.
5. Move the PFX file containing the new Collector certificate and the Enterprise certificate export file to
the new Collector machine.
The Enterprise certificate file is located in the CollectorData folder of the initial Collector, typically
C:\Program Files\VMware\VCM\CollectorData, or you can export it from the local machine
trusted root system store. The export file has a .pem extension.
NOTE An alternative way to make a certificate for an additional Collector is to generate a key pair and
certificate request on the additional Collector machine, and move only that.
Importing Certificates for Additional Collectors
After you create certificates for an additional Collector, import them to the additional Collector before you
install VCM. See "Import a Certificate on Windows" on page 69
n
Import the Enterprise certificate to the local machine trusted root store on the additional Collector.
n
Import the Collector certificate to the local machine personal store on the additional Collector.
IMPORTANT If you are replacing certificates, also import the Enterprise certificate to the Agent certificate
stores on managed machines. See "Delivering Initial Certificates to Agents" on page 66.
Makecert Options
When you use Makecert commands, you can use options to specify the results in the utility output.
NOTE VCM programmatically uses a long GUID, represented by AAAAAA or BBBBBB, to ensure that a
name is unique. You do not need a long GUID in a manual process though. Any unique identifier is
sufficient.
VCM Security Guide
72
VMware, Inc.