Attackers can use SSL certificates to impersonate vCenter Server and decrypt the vCenter Server database password. You must monitor and strictly control access to the certificate.

Only the service account user requires regular access to the directory that contains vCenter Server SSL certificates. Infrequently, the vCenter Server system administrator might need to access the directory as well. Because the SSL certificate can be used to impersonate vCenter Server and decrypt the database password, monitor the event log and set an alert to trigger when an account other than the service account accesses the directory.

To prevent a user other than the service account user from accessing the directory, change the permissions on the directory so that only the vCenter Server service account is allowed to access it. This restriction prevents you from collecting a complete support log when you issue a vc-support script. The restriction also prevents the administrator from changing the vCenter Server database password.