Changing Certificates; Renewing Certificates; Replacing Certificates - VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Manual

Changing Certificates

Certificates always have an expiration date, after which they are no longer valid. The validity period for a certificate is a
matter of policy and ranges from minutes to decades. In these cases, you can either renew or replace your certificates.

Renewing Certificates

Renewal of a certificate means extending the validity period for the certificate, using the same key pair, issuer, and
identifying information. Whatever mechanism was used to create the VCM certificates can be used to renew them.
It is possible to renew a certificate by updating the expiration date. In this case, a new certificate is issued with the
same public key and identifying information as the old certificate. Since the only change is the validity period, it is safe
to accept the new certificate at the same level of trust as the old one. Both certificates are valid for the same purposes,
and are both are usable in keeping with their validity periods.
When the Collector initiates communication with the Agent, it sends the certification path from the Collector
Certificate to its trusted root (typically the Enterprise Certificate) to the Agent. For each certificate in the path, the
Agent checks to see if it has a matching certificate in local machine personal or root stores. If it finds a match in either
location and the "new" certificates have different dates, the Agent will install the new certificates. The current trust
level is preserved. No certificate will be added to the trusted store unless an equivalent certificate is already present.
The old certificates are not removed.

Replacing Certificates

The only way to ensure the authenticity of a new root or trusted certificate is to receive it from a secure and trusted
source. During installation, VCM Installation Manager handles Enterprise and Collector Certificate installation and
management. You can either select your own certificates from your certificate store, or have VCM generate the
certificates automatically for you. In both cases, your VCM Agents will be automatically configured to properly trust
the certificates. In addition, Enterprise and Collector Certificates with updated begin and end times will be
automatically added to the Agents' certificate stores as described in
However there are certain circumstances that may require you replace your Enterprise and Collector Certificates,
including:
Compromised private keys
l
Company security policy governing the lifetime of keys
l
Company or department changes merging VCM environments
l
Product evaluations that previously used VCM-generated certificates that are moved into production without re-
l
installation
Use the following procedures to replace both the Enterprise and Collector Certificates, or just the Collector Certificate,
and then install them into the certificate stores of the VCM Collector and Agents.
Replace the Enterprise and Collector Certificates
TLS Implementation for VCM
Renewing Certificates on page
TECHNICAL WHITE PAPER / 13
13.