Hi all,
I'm struggling to get my VMCA to become a Subordinate CA. I'm trying to follow guides and blogs etc but I immediately hit a stumbling block early on as every guide and blog that I find says that after selecting Option 2: Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates in the certificate-manager tool it will ask if I want to generate all certificates using configuration file (I says Yes), then it asks for credentials (I enter valid credentials) and then it should ask me to configure the MACHINE_SSL_CERT.cfg (but mine doesn't) and then machine and then web client etc (mine doesn't). It tells me to configure certool.cfg and then immediately jumps to generating a CSR as below.
[K [1;31mroot@tda1vcsa01 [ [0m~ [1;31m ]# [0m/usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 2
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:REMOVED
Enter password:
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] : REMOVED
Enter proper value for 'Name' [Default value : CA] : REMOVED
Enter proper value for 'Organization' [Default value : VMware] : REMOVED
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : Root
Enter proper value for 'State' [Default value : California] : REMOVED
Enter proper value for 'Locality' [Default value : Palo Alto] : REMOVED
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] :
Enter proper value for 'Email' [Default value : email@acme.com] : REMOVED
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : REMOVED
Enter proper value for VMCA 'Name' :REMOVED
1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate
Option [1 or 2]: 1
Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /tmp
2018-04-24T10:01:40.161Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/tmp/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2018-04-24T10:01:40.480Z Done running command
2018-04-24T10:01:40.480Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/tmp/vmca_issued_key.key', '--cert', '/var/lib/vmware/vmca/root.cer', '--csrfile', '/tmp/vmca_issued_csr.csr']
2018-04-24T10:01:40.526Z Done running command
CSR generated at: /tmp/vmca_issued_csr.csr
1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate
2. Exit certificate-manager
Option [1 or 2]: 2
I have tried following through with this anyway but it fails to load the new certificate:
You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : Y
Status : 0% Completed [Replacing Root Cert...]
Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
Error Code : 70011
Error Message : Not a CA Cert
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2018-03-14T10:57:15.98Z INFO certificate-manager Replacing Root Cert using Custom CA...
2018-03-14T10:57:15.99Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/tmp/vmca.cer', '--privkey', '/tmp/vmca_issued_key.key', '--server', 'localhost']
2018-03-14T10:57:15.260Z INFO certificate-manager Command output :-
Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
Error Code : 70011
Error Message : Not a CA Cert
2018-03-14T10:57:15.260Z ERROR certificate-manager Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
Error Code : 70011
Error Message : Not a CA Cert
I don't think I'm trying to do anything overly complicated but my certificate manager is just not guiding me through the same options as I find on every single guide and blog post. Any ideas anyone?
Type:vCenter Server with an embedded Platform Services Controller
Product:VMware vCenter Server Appliance
Version:6.5.0.14000
Cheers,
Mike
From the error, it's telling you what it has been given is not a certificate authority cert. This needs to be a cert for a proper CA that also delegates it as subordinate. So you probably want to go back to your PKI administrator and ask for the correct cert.
Thanks for that. I can't post all the steps here but I am certain I have followed all of those steps correctly. But my initial problem seems to be that the "wizard" doesn't follow the steps it is seemingly supposed to. There is a KB article here VMware Knowledge Base for the "Not a Cert" error but I don't have the same issues when running the suggested commands to verify the issue so it doesn't seem to be that issue. I followed the steps anyway and still got the exact same error. I can only assume it is because I am never given the chance to set the .cfg files for the rest of the certificates.