Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
61626364656667686970
This renewal process only works for Collector certificates stored in the Agent certificate store. In mutual
authentication in the other direction, Agent certificates do not have an automated renewal capability at the
Collector certificate store.
Replacing Certificates
The only way to ensure the authenticity of a new root or trusted certificate is to receive it from a secure
and trusted source. During installation, VCM Installation Manager handles Enterprise and Collector
certificate installation and management.
Later, at VCM Agent installation, the Agent is configured to properly trust the Enterprise and Collector
certificates. If the Enterprise and Collector certificates were updated with new expiration times, the
updates are added to the Agents' certificate stores as described in "Renewing Certificates" on page 64.
The following circumstances require that you replace Enterprise and Collector certificates:
n
Compromised private keys
n
Security policies that govern the lifetime of keys
n
Company or department changes that result in merging VCM environments
n
Product evaluations that previously used VCM-generated certificates that are moved into production
without reinstallation
Replace the Enterprise and Collector Certificates
After VCM installation, you can replace the certificates generated or selected during installation. To replace
both the Enterprise and Collector certificates, follow these steps.
1. Create or obtain a new Enterprise certificate.
To create an Enterprise certificate using the Makecert certificate creation tool, see "Create the
Enterprise Certificate and First Collector Certificate" on page 71.
2. Create or obtain a new Collector certificate that is signed by the new Enterprise certificate.
To create a Collector certificate using Makecert certificate creation tool, see "Create the Enterprise
Certificate and First Collector Certificate" on page 71.
3. Import the new Enterprise certificate to the local computer trusted root store on the VCM Collector.
See "Import a Certificate on Windows" on page 69.
4. Import the Collector certificate and the private key to the personal store on the VCM Collector.
See "Import a Certificate on Windows" on page 69.
5. Update the Collector certificate thumbprint in the VCM Collector database.
See "Update the Collector Certificate Thumbprint in the VCM Database" on page 74
6. Restart the Collector service.
7. Import the Enterprise certificate to the trusted root store on managed machines.
See "Import a Certificate on Windows" on page 69.
To place the new Enterprise certificate onto a Windows managed machine, you can install the VCM
Agent with the Enable HTTP option selected, or change the protocol to DCOM and back to HTTP if the
Collector can communicate with Agents using DCOM.
For UNIX Agents, copy the certificates to the VCM Agent certificate store.
Authentication
VMware, Inc.
65