Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
61626364656667686970
n
Collector certificate. Local machine personal system store
n
Enterprise certificate. Local machine trusted root system store
The private key of the Enterprise certificate does not need to be stored on the Collector.
To create your own certificates in advance of VCM installation, see "Collector Certificate" on page 61 for
requirements, or see "Creating Certificates Using Makecert" on page 70 to create certificates without full
PKI support.
If circumstances change after VCM installation, you can replace the certificates that you generated or
selected during install. See "Changing Certificates" on page 64.
Certificates for Additional Collectors
To ensure seamless operation across Agents and Collectors, all Collector certificates in the VCM
environment must be issued by the same Enterprise certificate. The option to generate certificates during
installation fails to create the right Collector-Enterprise relationship if you use it beyond the first time, on
the first Collector.
Rather than choosing to generate certificates a second time, sign certificates with the first generated VCM
certificate, making that your Enterprise certificate, and manually add the signed certificates to subsequent
Collectors before you install VCM. Each Collector needs its own Collector certificate, and access to the
Enterprise certificate that issued it.
If all Agents are to be contacted by only a single Collector, then a single trust hierarchy and overall
Enterprise certificate is not necessary. If you plan to have shared Collectors communicate with an Agent
though, you cannot generate certificates during each Collector installation throughout your security
environment.
Changing Certificates
Certificates always have an expiration date, after which they are not valid. The validity period for a
certificate is a matter of policy and ranges from minutes to decades. In the case of expiring certificates, you
can either renew or replace certificates.
Renewing Certificates
When you renew a certificate, you extend the validity period for the certificate and use the same key pair,
issuer, and identifying information. Whatever mechanism was used to create the VCM certificates can be
used to renew them.
You can renew a certificate by updating the expiration date. When you update the expiration date, a new
certificate is issued with the same public key and identifying information as the old certificate. Because the
only change is the validity period, it is safe to accept the new certificate at the same level of trust as the old
one. Both certificates are valid for the same purposes, and both are usable during their validity periods.
When the Collector initiates communication with the Agent, it reveals the certification path from the
Collector certificate back to its trusted root, typically the Enterprise certificate, to the Agent. For each
certificate in the path, the Agent checks to see if it has a matching certificate in the local machine personal
or root stores. If it finds a match in either location and the "new" certificates have different dates, the Agent
installs the new certificates, and the current trust level is preserved.
No certificate is added to the trusted store unless an equivalent certificate is already present. The old
certificates are not removed.
VCM Security Guide
64
VMware, Inc.