Hi,
VCener 6
OS: Windows Server 2012
Per company security requirement, I need to replace the current machine SSL certificate with 4096-bit SSL certificate. However, I don't see a way to create a CSR with 4096-bit. I believe default is 1024-bit or 2048-bit. Both Certificate Manager and certool does not seem to have an option to specify the bits either.
Please advise. Thanks,
You can try the following steps:
Create a file csr.cfg
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:<FQDN>
[ req_distinguished_name ]
countryName = Country (Country name should be two letters. E.g. CA for Canada)
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = Department
commonName = <FQDN>
Generate CSR and key by running the below command:
openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:4096 -keyout /certs/psc-ha-vip.key -config /certs/csr.cfg
You will need to cutomize the path..I created csr and key under /certs directory.
However you will need to check with support or documentation to verify if it is feasible to use 4096 bit key length.
You should ask VMware Support first if they support 4096bit lenght keys for the products you have in use.
Because.... years ago we have 2048bit in use which breaks the vCenter Update/Installer routines and Support told us that maybe some of the db fields maybe not large enought for holding that number of chars. They never testet more than 512bit in that time.
Regards,
Joerg
You can try the following steps:
Create a file csr.cfg
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:<FQDN>
[ req_distinguished_name ]
countryName = Country (Country name should be two letters. E.g. CA for Canada)
stateOrProvinceName = State
localityName = City
0.organizationName = Company
organizationalUnitName = Department
commonName = <FQDN>
Generate CSR and key by running the below command:
openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:4096 -keyout /certs/psc-ha-vip.key -config /certs/csr.cfg
You will need to cutomize the path..I created csr and key under /certs directory.
However you will need to check with support or documentation to verify if it is feasible to use 4096 bit key length.
Were you able to get the certs with 4096 key-length.
Curious to know if vCenter support 4096 key length
Yes. vCenter 6.0 on Windows support 4096 bit.
Thanks,