glamic26
Enthusiast
Enthusiast

Option 2: Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates

Hi all,

I'm struggling to get my VMCA to become a Subordinate CA.  I'm trying to follow guides and blogs etc but I immediately hit a stumbling block early on as every guide and blog that I find says that after selecting Option 2: Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates in the certificate-manager tool it will ask if I want to generate all certificates using configuration file (I says Yes), then it asks for credentials (I enter valid credentials) and then it should ask me to configure the MACHINE_SSL_CERT.cfg (but mine doesn't) and then machine and then web client etc (mine doesn't).  It tells me to configure certool.cfg and then immediately jumps to generating a CSR as below. 

[K [1;31mroot@tda1vcsa01 [  [0m~ [1;31m ]#  [0m/usr/lib/vmware-vmca/bin/certificate-manager

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

|                                                                     |

|      *** Welcome to the vSphere 6.0 Certificate Manager  ***        |

|                                                                     |

|                   -- Select Operation --                            |

|                                                                     |

|      1. Replace Machine SSL certificate with Custom Certificate     |

|                                                                     |

|      2. Replace VMCA Root certificate with Custom Signing           |

|         Certificate and replace all Certificates                    |

|                                                                     |

|      3. Replace Machine SSL certificate with VMCA Certificate       |

|                                                                     |

|      4. Regenerate a new VMCA Root Certificate and                  |

|         replace all certificates                                    |

|                                                                     |

|      5. Replace Solution user certificates with                     |

|         Custom Certificate                                          |

|                                                                     |

|      6. Replace Solution user certificates with VMCA certificates   |

|                                                                     |

|      7. Revert last performed operation by re-publishing old        |

|         certificates                                                |

|                                                                     |

|      8. Reset all Certificates                                      |

|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|

Note : Use Ctrl-D to exit.

Option[1 to 8]: 2

Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

Please provide valid SSO and VC priviledged user credential to perform certificate operations.

Enter username [Administrator@vsphere.local]:REMOVED

Enter password:

Please configure certool.cfg with proper values before proceeding to next step.

Press Enter key to skip optional parameters or use Default value.

Enter proper value for 'Country' [Default value : US] : REMOVED

Enter proper value for 'Name' [Default value : CA] : REMOVED

Enter proper value for 'Organization' [Default value : VMware] : REMOVED

Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : Root

Enter proper value for 'State' [Default value : California] : REMOVED

Enter proper value for 'Locality' [Default value : Palo Alto] : REMOVED

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] :

Enter proper value for 'Email' [Default value : email@acme.com] : REMOVED

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : REMOVED

Enter proper value for VMCA 'Name' :REMOVED

1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate

2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Option [1 or 2]: 1

Please provide a directory location to write the CSR(s) and PrivateKey(s) to:

Output directory path: /tmp

2018-04-24T10:01:40.161Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/tmp/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']

2018-04-24T10:01:40.480Z   Done running command

2018-04-24T10:01:40.480Z   Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/tmp/vmca_issued_key.key', '--cert', '/var/lib/vmware/vmca/root.cer', '--csrfile', '/tmp/vmca_issued_csr.csr']

2018-04-24T10:01:40.526Z   Done running command

CSR generated at: /tmp/vmca_issued_csr.csr

1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate

2. Exit certificate-manager

Option [1 or 2]: 2

I have tried following through with this anyway but it fails to load the new certificate:

You are going to replace Root Certificate with custom certificate and regenerate all other certificates

Continue operation : Option[Y/N] ? : Y

Status : 0% Completed [Replacing Root Cert...]

Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed

Error Code : 70011

Error Message : Not a CA Cert

Status : 0% Completed [Operation failed, performing automatic rollback]

Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

2018-03-14T10:57:15.98Z INFO certificate-manager Replacing Root Cert using Custom CA...

2018-03-14T10:57:15.99Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/tmp/vmca.cer', '--privkey', '/tmp/vmca_issued_key.key', '--server', 'localhost']

2018-03-14T10:57:15.260Z INFO certificate-manager Command output :-

Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed

Error Code : 70011

Error Message : Not a CA Cert

2018-03-14T10:57:15.260Z ERROR certificate-manager Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed

Error Code : 70011

Error Message : Not a CA Cert

I don't think I'm trying to do anything overly complicated but my certificate manager is just not guiding me through the same options as I find on every single guide and blog post.  Any ideas anyone?

Type:vCenter Server with an embedded Platform Services Controller

Product:VMware vCenter Server Appliance

Version:6.5.0.14000

Cheers,

Mike

Tags (2)
0 Kudos
2 Replies
daphnissov
Immortal
Immortal

From the error, it's telling you what it has been given is not a certificate authority cert. This needs to be a cert for a proper CA that also delegates it as subordinate. So you probably want to go back to your PKI administrator and ask for the correct cert.

0 Kudos
glamic26
Enthusiast
Enthusiast

Thanks for that.  I can't post all the steps here but I am certain I have followed all of those steps correctly.  But my initial problem seems to be that the "wizard" doesn't follow the steps it is seemingly supposed to.  There is a KB article here VMware Knowledge Base  for the "Not a Cert" error but I don't have the same issues when running the suggested commands to verify the issue so it doesn't seem to be that issue.  I followed the steps anyway and still got the exact same error.  I can only assume it is because I am never given the chance to set the .cfg files for the rest of the certificates.

0 Kudos