VMware Cloud Community
PhillyDiane
Contributor
Contributor

5.5 heartbleed patch issue with certutil and multiple FQDN/IP on cert

Hi-

I'm running into a vcenter server 5.5 Heartbleed update (to 1750787) issue with certutil.exe. Per the instructions on VMware KB: Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5 , after installing the patch for SSO, you need to regenerate the certs with certutil. The syntax provided is:

"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711


I have more than one FQDN and IP specified on my current cert. The new cert needs to have those multiple names and IP's.

When I run certutil with those additional addresses, I get  "error: multiple occurrences" I can't find any documentation on certutil, verbose/help/? from the command yields nothing.


Has anyone else run into this?


Reply
0 Kudos
14 Replies
Atul_gen
Enthusiast
Enthusiast

You can have more than one IPs but how you can have multiple FQDN for a machine.Please chcek the forward lookup and reverse lookup and get the peroper FQDN and IP.You need to provide the same FQDN and IP in the mentioned command.I had a FQDN and multiple IPs,it worked fine.

If you find this or any other answer useful please mark the answer as correct or helpful.
Reply
0 Kudos
admin
Immortal
Immortal

Hi ,

More than one FQDN on a cert..?? something may be wrong with you look up zones. you may need to check your DNS for duplicate entries

Thanks,

Avinash

Reply
0 Kudos
AramAvetisyan
Enthusiast
Enthusiast

So any info how to have several IP addresses when generating certificate using certool?

Reply
0 Kudos
SamuelJason
Contributor
Contributor

Hi, PhillyDiane.  I'm working on this, too, and have found one problem you'll have with VMware documentation for this command so I'll step you through a couple things.  First, the base command:

"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711

Note that the part that says --priv=priv.key should say --privkey=priv.key

Second, I'll tell you what I did with multiple IP addresses, since my server had two.  My command looks like this:

"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --privkey=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address IP=IP_address --cert=cert.crt --port=11711

No errors, running the command like that.  Note the piece that says: --IP=IP_address IP=IP_address

I had tried that with commas and -- before the second IP and it always failed.  The example I gave you works, though.  My guess (I haven't tried it) is that it may work the same way with FQDNs.

Regards,

-Sam J

Reply
0 Kudos
AramAvetisyan
Enthusiast
Enthusiast

Hello Samuel,

I just want to point out that although command finishes successfully with options --IP=IP_address IP=IP_address, it doesn't mean it adds both IPs to certificate. If you will double-click the created cert file and check the "Subject Alternative Name" field, you will still see only one IP.

Here is example of one file generated during install(on the right), and file generated with your command(on the left).

6CEA13C9CDE8F13A.jpg

There is obviously some way to do it, it was done by installed during install. Unfortunately it is not documented anywhere.

Regards,

Aram Avetisyan.

Reply
0 Kudos
flynmooney
Enthusiast
Enthusiast

I believe you need to use "subject alternative names".  X.509 certificates

Microsoft KB on subject alternative names How to add a subject alternative name to a secure LDAP certificate

Reply
0 Kudos
AramAvetisyan
Enthusiast
Enthusiast

And the question is how to do it with VMware's certool, which according to what I've found is different from GNU certtool (double t). Easiest way is to open a ticket to VMware and let them help. As the topic creator is not anymore active here, I suppose he solved his problem. We shoudl just hope that he will sahre his solution.

By the way, my solution was to use only one IP. Eventually, even if vCenter has several IPs and Hostnames, all communication related to vSphere usually goes through one management network.

Regards,

Aram Avetisyan.

Reply
0 Kudos
PhillyDiane
Contributor
Contributor

Hi

OP here.

Thanks for all of the replies. SamuelJason, I will try your commands and see if that generates a valid cert, but Aram notes it does not create a cert with both IP's, I plan on opening a ticket with VMWare to find out valid options for certool.exe. I'll post the results of the ticket.

Thanks, PhillyDiane

Reply
0 Kudos
SamuelJason
Contributor
Contributor

Appreciate the reply, Aram, you are right.  And on your other reply, it's correct as the cert seems to be working just fine in my test lab.

I see that PhillyDiane is going to open a ticket with VMware so I'm very interested to see what the real solution is (thanks for sharing, PhillyDiane).  I have 12 vCenter servers to apply this fix to and want to make sure it's done right.

Thanks to everyone participating in this discussion.  Looking forward to a good resolution.

Best regards,

-Sam J

Reply
0 Kudos
modb
Contributor
Contributor

The help for the certool command is obtained by issuing the following commands:


certool.exe --help init

certool.exe --help functions

certool.exe --help config

However, I only see it show one argument for --IPAddress and nothing for --FQDN.  Usually for openssl you just adjust the config file for subjectAltName.  There is a certool.cfg file which just appears to be a template.

Reply
0 Kudos
PhillyDiane
Contributor
Contributor

Right, Modb, when I use the switches you use, I get:

certool.exe -help init
error: unknown option -h

It only picks up the first letter of whatever switch I attempt. What version of certool are you using? Mine is 5.5.0, build 1746237, dated 4/15/14. It's 1338kb.

Reply
0 Kudos
modb
Contributor
Contributor

You need to use a double dash.

certool.exe --help init

PhillyDiane
Contributor
Contributor

No shit, the double dash worked for certool help. (VMWare tech support didn't know that one, either.) Thanks!

Anyway, I did hear back about the ticket I opened and this turns out to be the correct syntax for multiple ip/hostnames:

"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN="host.name,DNS:other.host.name" --IP="1.1.1.1, IP:2.2.2.2, IP:3.3.3.3" --cert=cert.crt --port=11711

The placement of the quotes is important, and it has to be done from an administrative cmd prompt, as well.

And props to Drew from vmware support who had an engineer dig through the source code to figure out the answer to this one. He also said they were going to update the documentation to reflect these switches.

Reply
0 Kudos
Knurmia
Contributor
Contributor

Thanks a lot for your post. I was trying to figure out how to have multiple names and your post helped me get it done. Also got an error message, but after reading your post I realized I was trying to run from a cmd prompt without administrative permissions. Another thing the post from VMware doesn't mention. I should have known it myself, but still...

Regards,

Kris

Reply
0 Kudos