Hello,
i have successful replaced the VMCA CA certificate but when generating the machine certificate it seems not be possible to enter multiple hostnames:
In this KB article: VMware KB: Using certool to generate CSRs that include multiple DNS names for one host
i can read that i should modify the certool.cfg as follows:
Hostname = server.acme.com,server,192.168.1.1
But when i try to sign the certificate i got:
certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg
Using config file : certool.cfg
Error: 70061, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 70061
Error Message : Invalid Subject Alternate Name specified.
I want that the browser gives no error when entering the IP or only the hostname without fqdn, because this i need more subject alternate names.
Hope someone has a hint for me...
Kind regards
Stefan
can you try below command -
certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg --hostname="server.acme.com,server,192.168.1.1"
if errors out, first remove --config=certtool.cfg and try. then remove fqdn of server from --hostname and keep others name/ip there and execute.
More Info -
vSphere 6.0 Documentation Center
For machine SSL certificates, the FQDN of the machine is used because the SSL client checks the CN field of the Subject name of the certificate when verifying the machine's host name. Because a machine can have more than one alias, certificates have the Subject Alternative Name field extension where you can specify other names (DNS names, IP addresses, and so on). However, VMCA allows only one DNSName (in the Hostname field) and no other Alias options. If the IP address is specified by the user, it is stored in SubAltName as well.
The --Hostname parameter is used to specify the DNSName of certificate's SubAltName.
Thanks for the fast answer, but no success. Only wen only one hostname is entered it works:
certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg --Hostname="test.demo.local"
Using config file : certool.cfg
Status : Success
And the IP address is stored too, but not with DNS name, with IP address, this has a result that the browser ignores this entry...
So it seems that this don't work:
VMCA allows only one DNSName (in the Hostname field) and no other Alias options.
That is bad...
How do you get the VMCA to sing the custom CSR in order to then import it into vCenter?
Hi,
you can use below commands to generate new cert using custom configuration file.
if you are using vCSA change to below directory to get certool
cd /usr/lib/vmware-vmca/bin
First create the configuration file e.g. my.cfg to generate CSR. you copy example configuration - /usr/lib/vmware-vmca/share/config/certool.cfg
./certool --gencsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=my.cfg
Provide CSR, cfg, and provide private key file path.
./certool --gencert --cert=new-vmca-ssl.crt --privkey=priv.key --config=my.cfg
You can view generated cert content.
./certool --viewcert --cert=new-vmca-ssl.crt
I would strongly suggest you to only use VMCA to generate and replace SSL certificates.
Thanks,
Haridas
Thanks @vHaridas
What do I do after that? The reason why I need to do this is because I need to add multiple alternate names. I've tried creating the request then signing it using my organisation's CA which signed the subordinate CA for VMCA but when I tried to import it using option 5 in the "Certificate-Manager" utility it failed saying that the same certificate cannot be used for multiple services. I have to say VMware's documentation is atrocious and confusing to say the least.
I was expecting the custom request to be signed by VMCA but couldn't find an option or any documentation on how to do that. I followed the instructions in this KB article which then says to follow the Understanding and using vSphere 6.0 Certificate Manager (2097936) but that article has no information relating to getting the VMCA to sign custom requests for vCenter.
VMCA do not support multiple subject alternate names. its difficult to find it in any document.
Did you try option 3 with Internal CA signed Cert with multiple alternate names.
Option 3 is "Replace Machine SSL certificate with VMCA Certificate" that does not support multiple SANs. It errors out and reverts the changes which is why the documentation provides instructions for how to manually create the request but not how to replace it once signed by by the corporate CA (it would be nice if they could say that the VMCA does will not sign CSRs with SANs but to use the company CA to sign it). Are you referring to option 1 by any chance "Replace Machine SSL certificate with Custom Certificate"?
I know this thread is old, but Google lead me here.
So, I just tried the same thing with a 6.5 U1e VCSA. I get the same error message as the original Author of this post (I used Option 2, to use VMCA as a subordinate CA and replaced all certificates).
I followed a KB which was not mentioned here: VMware Knowledge Base
But the command in there was actually suggested as part of the discussion here. Needless to say that it failed. It really seems like in only supports one DNS entry.
Has anyone any updates on this? Have there been VMware Cases which I could mention (SR Numbers) if I were to open a SR with VMware?
I haven't seen any documentation that says it only supports one DNS entry for hostname. But on the other hand I haven't seen official documentation (apart from the above linked KB) which documents this approach with multiple SANs (Subject Alternate Names).
virtualDD Raudi
Check out this KB: VMware Knowledge Base
This suggests using openssl on VCSA to generate a custom CSR. I just ran through the process and it worked great.
Just add your own custom DNS.1, DNS.2, etc entries under the [alt_names] section.