Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
51525354555657585960
Certificate Expiration and Revocation
Because keys can be compromised and circumstances can change, keys and certificates are not designed
for indefinite use. Certificates are created for a finite period of validity, before and after which they must
not be used or trusted. If a certificate expires without being renewed or replaced, it cannot be used to
establish a TLS session.
You can revoke certificates to indicate the withdrawal of trust, even before they expire. The issuing
authority might make a certificate revocation list available for additional validation of certificates that it has
issued. Do not trust a certificate in the revocation list.
To view VCM certificates in the VCM user interface, click Administration, and select Certificates. The data
grid displays your certificates and related information, including expiration dates.
For information on how to renew or replace your certificates, see "Changing Certificates" on page 64.
NOTE VCM supports certificate expiration but not revocation lists. To effectively revoke certificates,
remove them from certificate stores.
Certificate Standards
Certificates are defined by the X.509 RFC standard, which specifies standard fields and capabilities.
Certificate creators can add additional fields, either critical or noncritical. The fields are a contract between
the creator and consumer. Because of custom fields that are implementation-specific, an application might
encounter a certificate with fields that it does not understand. The application is obligated to fail validation
on a certificate with critical fields that it does not understand. Noncritical fields are not subject to this rule.
One common noncritical extension is Enhanced Key Usage. This field specifies the valid uses for the
certificate. Uses might include server authentication, client authentication, code signing, or certificate
signing.
Certificate Storage
In Microsoft systems, certificates are physically kept in files, the Windows Registry, memory, Active
Directory, or other locations. Taken together, a collection of physical stores that share common properties
is known as a logical store. For purposes of this guide, any discussion of certificate stores is assumed to
mean logical stores unless stated otherwise. For a description of the logical system of stores provided by
Microsoft, see the Microsoft TechNet Web site.
On UNIX systems, Collector certificates for server authentication, and Agent certificates and Agent private
keys for mutual authentication, are stored in a proprietary protected store. Although the store is not
encrypted, it is protected from simple viewing. Use the CSI_ManageCertificateStore utility and the
associated help provided with your VCM UNIX Agent installation package to view or manage the UNIX
Agent certificate store. For more information, see the VCM Administration Guide.
How VCM Uses Certificates
Authentication between Collector and Agent is more automatic and secure by default as of VCM Version
5.5. You no longer need to manually configure the VCM security environment for mutual authentication
to work. That is, you no longer need to manually create and issue certificates for use on Agents, which was
the case in previous releases.
NOTE If you have an existing PKI in your enterprise, VCM can be configured to use it. Contact VMware
Technical Support for assistance in having Collectors and Agents use an existing PKI.
The following certificates enable Collector-Agent communication in VCM:
Authentication
VMware, Inc.
59