Hi-
I'm running into a vcenter server 5.5 Heartbleed update (to 1750787) issue with certutil.exe. Per the instructions on VMware KB: Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5 , after installing the patch for SSO, you need to regenerate the certs with certutil. The syntax provided is:
"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711
I have more than one FQDN and IP specified on my current cert. The new cert needs to have those multiple names and IP's.
When I run certutil with those additional addresses, I get "error: multiple occurrences" I can't find any documentation on certutil, verbose/help/? from the command yields nothing.
Has anyone else run into this?
You can have more than one IPs but how you can have multiple FQDN for a machine.Please chcek the forward lookup and reverse lookup and get the peroper FQDN and IP.You need to provide the same FQDN and IP in the mentioned command.I had a FQDN and multiple IPs,it worked fine.
Hi ,
More than one FQDN on a cert..?? something may be wrong with you look up zones. you may need to check your DNS for duplicate entries
Thanks,
Avinash
So any info how to have several IP addresses when generating certificate using certool?
Hi, PhillyDiane. I'm working on this, too, and have found one problem you'll have with VMware documentation for this command so I'll step you through a couple things. First, the base command:
"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711
Note that the part that says --priv=priv.key should say --privkey=priv.key
Second, I'll tell you what I did with multiple IP addresses, since my server had two. My command looks like this:
"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --privkey=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address IP=IP_address --cert=cert.crt --port=11711
No errors, running the command like that. Note the piece that says: --IP=IP_address IP=IP_address
I had tried that with commas and -- before the second IP and it always failed. The example I gave you works, though. My guess (I haven't tried it) is that it may work the same way with FQDNs.
Regards,
-Sam J
Hello Samuel,
I just want to point out that although command finishes successfully with options --IP=IP_address IP=IP_address, it doesn't mean it adds both IPs to certificate. If you will double-click the created cert file and check the "Subject Alternative Name" field, you will still see only one IP.
Here is example of one file generated during install(on the right), and file generated with your command(on the left).
There is obviously some way to do it, it was done by installed during install. Unfortunately it is not documented anywhere.
Regards,
Aram Avetisyan.
I believe you need to use "subject alternative names". X.509 certificates
Microsoft KB on subject alternative names How to add a subject alternative name to a secure LDAP certificate
And the question is how to do it with VMware's certool, which according to what I've found is different from GNU certtool (double t). Easiest way is to open a ticket to VMware and let them help. As the topic creator is not anymore active here, I suppose he solved his problem. We shoudl just hope that he will sahre his solution.
By the way, my solution was to use only one IP. Eventually, even if vCenter has several IPs and Hostnames, all communication related to vSphere usually goes through one management network.
Regards,
Aram Avetisyan.
Hi
OP here.
Thanks for all of the replies. SamuelJason, I will try your commands and see if that generates a valid cert, but Aram notes it does not create a cert with both IP's, I plan on opening a ticket with VMWare to find out valid options for certool.exe. I'll post the results of the ticket.
Thanks, PhillyDiane
Appreciate the reply, Aram, you are right. And on your other reply, it's correct as the cert seems to be working just fine in my test lab.
I see that PhillyDiane is going to open a ticket with VMware so I'm very interested to see what the real solution is (thanks for sharing, PhillyDiane). I have 12 vCenter servers to apply this fix to and want to make sure it's done right.
Thanks to everyone participating in this discussion. Looking forward to a good resolution.
Best regards,
-Sam J
The help for the certool command is obtained by issuing the following commands:
certool.exe --help init
certool.exe --help functions
certool.exe --help config
However, I only see it show one argument for --IPAddress and nothing for --FQDN. Usually for openssl you just adjust the config file for subjectAltName. There is a certool.cfg file which just appears to be a template.
Right, Modb, when I use the switches you use, I get:
certool.exe -help init
error: unknown option -h
It only picks up the first letter of whatever switch I attempt. What version of certool are you using? Mine is 5.5.0, build 1746237, dated 4/15/14. It's 1338kb.
You need to use a double dash.
certool.exe --help init
No shit, the double dash worked for certool help. (VMWare tech support didn't know that one, either.) Thanks!
Anyway, I did hear back about the ticket I opened and this turns out to be the correct syntax for multiple ip/hostnames:
"C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN="host.name,DNS:other.host.name" --IP="1.1.1.1, IP:2.2.2.2, IP:3.3.3.3" --cert=cert.crt --port=11711
The placement of the quotes is important, and it has to be done from an administrative cmd prompt, as well.
And props to Drew from vmware support who had an engineer dig through the source code to figure out the answer to this one. He also said they were going to update the documentation to reflect these switches.
Thanks a lot for your post. I was trying to figure out how to have multiple names and your post helped me get it done. Also got an error message, but after reading your post I realized I was trying to run from a cmd prompt without administrative permissions. Another thing the post from VMware doesn't mention. I should have known it myself, but still...
Regards,
Kris