VMware Cloud Community
Raudi
Expert
Expert

Replace machine certificate with VMCA signed certificate which has multiple alternate names

Hello,

i have successful replaced the VMCA CA certificate but when generating the machine certificate it seems not be possible to enter multiple hostnames:

In this KB article: VMware KB: Using certool to generate CSRs that include multiple DNS names for one host

i can read that i should modify the certool.cfg as follows:

Hostname = server.acme.com,server,192.168.1.1

But when i try to sign the certificate i got:

certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg

Using config file : certool.cfg

Error: 70061, VMCAGetSignedCertificatePrivate() failedStatus : Failed

Error Code : 70061

Error Message : Invalid Subject Alternate Name specified.

I want that the browser gives no error when entering the IP or only the hostname without fqdn, because this i need more subject alternate names.

Hope someone has a hint for me...

Kind regards

Stefan

Reply
0 Kudos
9 Replies
vHaridas
Expert
Expert

can you try below command -

certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg --hostname="server.acme.com,server,192.168.1.1"

if errors out, first remove --config=certtool.cfg and try. then remove fqdn of server from --hostname and keep others name/ip there and execute.

More Info -

vSphere 6.0 Documentation Center

For machine SSL certificates, the FQDN of the machine is used because the SSL client checks the CN field of the Subject name of the certificate when verifying the machine's host name. Because a machine can have more than one alias, certificates have the Subject Alternative Name field extension where you can specify other names (DNS names, IP addresses, and so on). However, VMCA allows only one DNSName (in the  Hostname field) and no other Alias options. If the IP address is specified by the user, it is stored in SubAltName as well. 

The  --Hostname parameter is used to specify the DNSName of certificate's SubAltName.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/
Reply
0 Kudos
Raudi
Expert
Expert

Thanks for the fast answer, but no success. Only wen only one hostname is entered it works:

certool --gencert --cert=new-vmca-ssl.crt --privkey=ssl-key.priv --config=certool.cfg --Hostname="test.demo.local"

Using config file : certool.cfg

Status : Success

And the IP address is stored too, but not with DNS name, with IP address, this has a result that the browser ignores this entry...

So it seems that this don't work:

VMCA allows only one DNSName (in the  Hostname field) and no other Alias options.

That is bad...

Reply
0 Kudos
Tammam
Contributor
Contributor

How do you get the VMCA to sing the custom CSR in order to then import it into vCenter?

Reply
0 Kudos
vHaridas
Expert
Expert

Hi,

you can use below commands to generate new cert using custom configuration file.

if you are using vCSA change to below directory to get certool

cd /usr/lib/vmware-vmca/bin

First create the configuration file e.g. my.cfg to generate CSR. you copy example configuration - /usr/lib/vmware-vmca/share/config/certool.cfg

./certool --gencsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=my.cfg

Provide CSR, cfg, and provide private key file path.

./certool --gencert --cert=new-vmca-ssl.crt --privkey=priv.key --config=my.cfg

You can view generated cert content.

./certool  --viewcert --cert=new-vmca-ssl.crt

I would strongly suggest you to only use VMCA to generate and replace SSL certificates.

Thanks,

Haridas

Virtual Admin

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/
Reply
0 Kudos
Tammam
Contributor
Contributor

Thanks @vHaridas

What do I do after that? The reason why I need to do this is because I need to add multiple alternate names. I've tried creating the request then signing it using my organisation's CA which signed the subordinate CA for VMCA but when I tried to import it using option 5 in the "Certificate-Manager" utility it failed saying that the same certificate cannot be used for multiple services. I have to say VMware's documentation is atrocious and confusing to say the least.


I was expecting the custom request to be signed by VMCA but couldn't find an option or any documentation on how to do that. I followed the instructions in this KB article which then says to follow the Understanding and using vSphere 6.0 Certificate Manager (2097936) ‌but that article has no information relating to getting the VMCA to sign custom requests for vCenter.

Reply
0 Kudos
vHaridas
Expert
Expert

VMCA do not support multiple subject alternate names. its difficult to find it in any document.

Did you try option 3 with Internal CA signed Cert with multiple alternate names.

Please consider awarding points for "Correct" or "Helpful" replies. Thanks....!!! https://vprhlabs.blogspot.in/
Reply
0 Kudos
Tammam
Contributor
Contributor

Option 3 is "Replace Machine SSL certificate with VMCA Certificate" that does not support multiple SANs. It errors out and reverts the changes which is why the documentation provides instructions for how to manually create the request but not how to replace it once signed by by the corporate CA (it would be nice if they could say that the VMCA does will not sign CSRs with SANs but to use the company CA to sign it). Are you referring to option 1 by any chance "Replace Machine SSL certificate with Custom Certificate"?

virtualDD
Enthusiast
Enthusiast

I know this thread is old, but Google lead me here.

So, I just tried the same thing with a 6.5 U1e VCSA. I get the same error message as the original Author of this post (I used Option 2, to use VMCA as a subordinate CA and replaced all certificates).

I followed a KB which was not mentioned here: VMware Knowledge Base

But the command in there was actually suggested as part of the discussion here. Needless to say that it failed. It really seems like in only supports one DNS entry.

Has anyone any updates on this? Have there been VMware Cases which I could mention (SR Numbers) if I were to open a SR with VMware?

I haven't seen any documentation that says it only supports one DNS entry for hostname. But on the other hand I haven't seen official documentation (apart from the above linked KB) which documents this approach with multiple SANs (Subject Alternate Names).

Reply
0 Kudos
hicksj
Virtuoso
Virtuoso

virtualDDRaudi

Check out this KB:  VMware Knowledge Base

This suggests using openssl on VCSA to generate a custom CSR.  I just ran through the process and it worked great.

Just add your own custom DNS.1, DNS.2, etc entries under the [alt_names] section.

Reply
0 Kudos