VMware Cloud Community
vadm168
Enthusiast
Enthusiast
‎08-14-2018 03:37 PM
Jump to solution

Any way to generate 4096-bit certificate request on vCenter 6 / Windows Server 2012?

Hi,

VCener 6

OS: Windows Server 2012

Per company security requirement, I need to replace the current machine SSL certificate with 4096-bit SSL certificate. However, I don't see a way to create a CSR with 4096-bit. I believe default is 1024-bit or 2048-bit. Both Certificate Manager and certool does not seem to have an option to specify the bits either.

Please advise. Thanks,

0 Kudos
1 Solution

Accepted Solutions
Vijay2027
Expert
Expert
‎08-15-2018 02:58 AM
Jump to solution

You can try the following steps:

Create a file csr.cfg

[ req ]

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:false

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = DNS:<FQDN>

[ req_distinguished_name ]

countryName = Country (Country name should be two letters. E.g. CA for Canada)

stateOrProvinceName = State

localityName = City

0.organizationName = Company

organizationalUnitName = Department

commonName = <FQDN>

Generate CSR and key by running the below command:

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:4096 -keyout /certs/psc-ha-vip.key -config /certs/csr.cfg

You will need to cutomize the path..I created csr and key under /certs directory.

However you will need to check with support or documentation to verify if it is feasible to use 4096 bit key length.

View solution in original post

0 Kudos
4 Replies
IRIX201110141
Champion
Champion
‎08-15-2018 01:15 AM
Jump to solution

You should ask VMware Support first if they support 4096bit lenght keys for the products you have in use.

Because.... years ago we have 2048bit in use which breaks the vCenter Update/Installer routines and Support told us that maybe some of the db fields maybe not large enought for holding that number of chars. They never testet more than 512bit in that time.

Regards,

Joerg

0 Kudos
Vijay2027
Expert
Expert
‎08-15-2018 02:58 AM
Jump to solution

You can try the following steps:

Create a file csr.cfg

[ req ]

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:false

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = DNS:<FQDN>

[ req_distinguished_name ]

countryName = Country (Country name should be two letters. E.g. CA for Canada)

stateOrProvinceName = State

localityName = City

0.organizationName = Company

organizationalUnitName = Department

commonName = <FQDN>

Generate CSR and key by running the below command:

openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:4096 -keyout /certs/psc-ha-vip.key -config /certs/csr.cfg

You will need to cutomize the path..I created csr and key under /certs directory.

However you will need to check with support or documentation to verify if it is feasible to use 4096 bit key length.

0 Kudos
Vijay2027
Expert
Expert
‎09-02-2018 08:32 PM
Jump to solution

Were you able to get the certs with 4096 key-length.

Curious to know if vCenter support 4096 key length

0 Kudos
vadm168
Enthusiast
Enthusiast
‎09-05-2018 03:55 PM
Jump to solution

Yes. vCenter 6.0 on Windows support 4096 bit.

Thanks,

0 Kudos