VMware VCENTER APPLICATION DISCOVERY MANAGER 6.1.1 Administration Manual page 31

To create a certificate
1 To generate the Rivest, Shamir, and Adleman (RSA) key type:
cd /etc/httpd/conf/ssl.prm/
openssl genrsa 2048 > server.key
chmod 400 server.key
The openSSL utility can generate a Digital Signature Algorithm (DSA) key by using the gendsa option.
For compatibility, VMware recommends RSA keys by using 2048‐bits as the key size.
2 Create the certificate by typing:
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt
The -new, -x509, and -nodes arguments are required to create an unencrypted certificate. The -days
argument specifies the length of time the certificate is valid.
For encrypted certificates, every time you are required to type the password until the key is loaded.
N In most cases, encrypted certificates are not worth the operational burden, as each process restart
OTE
or system restart requires you to manually type a password.
You can ask questions to complete X.509 attributes certificate. Adjust the answers to your local settings. If
frequently typed, you can update the system openssl.cnf file (in the /usr/share/ssl/ directory) with the
correct defaults.
Table 4‐1 lists X.509 attribute sample prompts and answers.
Table 4-1. X.509 Sample Prompts and Answers
Prompt
Country name (2 letter code) [AU]:
State or province name (full name) [Some‐State]:
Locality name (eg, city) [ ]:
Organization name (for example, company) [Internet Widgits Pty Ltd]:
Organizational unit name (for example, section) [ ]:
Common name (for example, YOUR name) [ ]:
E‐mail address [ ]:
For web services, the common name field must exactly match the hostname (or VIP name, for hosts associated
with a load balancer) of the system certificate is used on; otherwise, a certificate to hostname mismatch can
occur. In peer‐to‐peer setups for AS2, this field can usually be set to a descriptive string.
The certificate data in the server.crt file must be transferred to all client systems that need to verify the key
of the server to which it is connected. If this method does not scale, setup a CA, and distribute the signing
certificate to the clients instead of each self‐signed certificate. Optionally, you can extract the metadata.
Copying the .key and .crt Files
Type the following commands to copy the .key and .crt files:
cp server.crt /etc/httpd/conf/ssl.crt
cp server.key /etc/httpd/conf/ssl.key
To make the certificate effective, restart the Apache service by typing
adm_control.pl --restart apache
VMware, Inc.
Chapter 4 Securing ADM
Answer
US
Massachusetts
Boston
YourCompanyOrg
‐
hostname.domain
postmaster@yourcompany.org
31