5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
Create the Enterprise Certificate and First Collector Certificate
In this process, the Enterprise and first Collector systems are the same machine. See "Makecert Options" on
page 72 for details about the command-line switches used here.
1. Type the following command to create the CM Enterprise certificate:
makecert -pe -n "<enterprise-cert-name>" -ss Root -sr LocalMachine -r -sky
exchange -sk "<enterprise-key-name>" -b mm/dd/yyyy -e mm/dd/yyyy -len 1024
-h 2 -cy authority -eku 1.3.6.1.5.5.7.3.1 <filename[.cer | .pem]>
Example
makecert -pe -n "CN = CM Enterprise Certificate AAAAAA" -ss Root -sr
LocalMachine -r -sky exchange -sk "CM Enterprise Certificate AAAAAA" -len
1024 -h 2 -cy authority -eku 1.3.6.1.5.5.7.3.1
NOTE VCM programmatically embeds a long GUID, represented by AAAAAA or BBBBBB, in the
Common Name to ensure that the name is unique. You do not need a long GUID in the manual
process though. Any unique identifier is sufficient.
2. Type the following command to create the first Collector certificate, signed by the Enterprise
certificate.
makecert -pe -n "<collector-cert-name>" -ss My -sr LocalMachine -sky
exchange –sk <collector-cert-name> -b mm/dd/yyyy -e mm/dd/yyyy -len 1024 –
in <Enterprise_cert_common_name> -is Root -ir LocalMachine -cy authority
<collector-cert-name.[cer|pem]>
When the Enterprise machine is separate, and the Enterprise certificate is not stored with its private key on
the Collector, follow the steps for creating an additional Collector, but use them to create the first
Collector. See "Create Certificates for Additional Collectors" on page 71.
Create Certificates for Additional Collectors
If you need additional Collectors, or if the first Collector is a different machine from the Enterprise system,
create additional Collector certificates signed by the Enterprise certificate. This process is supported even if
the original certificates were generated by the VCM Installation Manager.
Follow these steps on the Enterprise machine, because you must access the private key for the Enterprise
certificate. You are creating an installable file that includes the new Collector private key, without storing
that key on the Enterprise machine. See "Makecert Options" on page 72 for details about the command-line
switches used here.
1. Type the following command:
makecert -pe -n "<collector-cert-name>" -sky exchange -sv "<collector-
cert-key-file>" -b mm/dd/yyyy -e mm/dd/yyyy -len 1024 -in "<Enterprise_
cert_common_name>" -is Root -ir LocalMachine -cy authority -eku
1.3.6.1.5.5.7.3.1 " <collector-cert-name.[pem|cer]>"
Example
makecert -pe -n "CN=CM Collector Certificate BBBBBB" -sky exchange -sv "CM
Collector BBBBBB.pvk" -b 04/07/2008 -e 04/07/2018 -len 1024 -in "CM
Enterprise Certificate AAAAAA" -is Root -ir LocalMachine -cy authority -
eku 1.3.6.1.5.5.7.3.1 "CM Collector BBBBBB.pem"
Authentication
VMware, Inc.
71