Table of Contents
Advertisement
The Collector Certificate
The Collector Certificate is issued by the Enterprise Certificate, and must be usable for Server Authentication and,
optionally, certificate signing (also known as "issuing"). Server Authentication is required to establish a TLS
connection with an Agent. Certificate signing is required to issue Agent Certificates for Mutual Authentication. It is
technically possible to split these functions between two certificates or two Collectors.
The Collector Certificate is used to initiate and secure a TLS communication channel with an HTTP Agent. The Agent
must be able to establish that the Collector Certificate can be trusted. That means that the Collector Certificate is valid
and the certification path starting with the Collector Certificate must end in a trusted certificate. By design, the
Enterprise Certificate will be installed in the Agent's trusted store, and the chain will end with the Enterprise
Certificate.
The Collector Certificate may also be used to issue Agent Certificates. As long as all Collector Certificates are issued
by the same Enterprise Certificate, any Agent Certificate may be issued by any Collector Certificate, and all
Collectors will be able to trust all Agents. Similarly, all Agents will be able to validate all Collector Certificates.
The Collector Certificate and associated private key must be available to the Collector. This certificate will be stored in
the (local machine) personal system store. Collector Certificates in VCM must adhere to the following requirements:
Must be located in the local machine personal certificate store of the Collector.
l
Must be valid for Server Authentication (OID: 1.3.6.1.5.5.7.3.1).
l
If the Collector certificate will be used to issue Agent certificates for mutual authentication:
l
If the key usage extension is present, it must include certificate signing.
l
Must be an authority rather than an end certificate.
l
If the path length is set on the basic constraints, it must be greater than or equal to 1.
l
Agent Certificates
Agent Certificates are used only in Mutual Authentication. The Agent machine either produces a certificate request, or
one is manually produced on the Agent's behalf. A Collector issues a certificate based on this request. Copies of the
certificate are stored on both the Agent machine and the Collector. The Agent's private key should never exist
anywhere but on the Agent machine.
When a second Collector contacts the agent, the Agent makes its certificate available, and the second Collector also
stores the certificate. Note that a second Collector cannot renew an Agent Certificate that was issued by a previous
Collector.
Certificates are also used to encrypt and distribute the ESX and ESXi Web Service credentials (Virtualization) and to
encrypt and distribute the VCM for Service Desk Integration credentials. These certificates may be the same Agent
Certificates used for TLS.
Agent certificates in VCM must adhere to the following requirements:
TLS Implementation for VCM
TECHNICAL WHITE PAPER / 10
Advertisement
Table of Contents
