Hello everyone,
I'm trying to issue sub CA certificate for my Embedded vCSA installation. vCAS version 6.5.0.14100.
/var/tmp/vmware/certool.cfg
Country = RU
Name = vlab-PSC-CA
Organization = vlab
OrgUnit = IT
State = Moscow
Locality = Moscow
IPAddress = <my IP>
Email = <Some email>
Hostname = <My vCSA FQDN>
/var/tmp/vmware/MACHINE_SSL_CERT.cfg
Country = RU
Name = <My vCSA FQDN>
Organization = vlab
OrgUnit = IT
State = Moscow
Locality = Moscow
IPAddress = <my IP>
Email = <Some email>
Hostname = <My vCSA FQDN, My vCSA Hostname>
I'm running
root@<hostname> [ /usr/lib/vmware-vmca/bin ]# ./certificate-manager
Option[1 to 8]: 2
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : n
1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate
2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate
Option [1 or 2]: 1
Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /custom
2018-03-02T09:50:11.492Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/custom/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2018-03-02T09:50:11.679Z Done running command
2018-03-02T09:50:11.679Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/custom/vmca_issued_key.key', '--cert', '/var/lib/vmware/vmca/root.cer', '--csrfile', '/custom/vmca_issued_csr.csr']
2018-03-02T09:50:11.700Z Done running command
CSR generated at: /custom/vmca_issued_csr.csr
1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate
2. Exit certificate-manager
Option [1 or 2]:
As you can see vCSA generates CSR based on existing root certificate (certool', '--gencsrfromcert', '--privkey'), but I've clearly stated that I want to generate based on files (Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y). The result is incorrect CSR. Does anyone knows how to force certificate-manager to respect config file content?
Guys, thank you all for your responses. I've managed to manually create private-public key pairs and create csr with all necessary data. But I didn't find a way to make vCenter do it on my behalf.
Goal:
Issue CSR that would contain custom information
Task sequence:
1. Go to /usr/lib/vmware-vmca/bin and locate certool
2. Issue private/public key pair using the following command (I've created folder /custom beforeahead)
./certool --genkey --privkey=/custom/private.key --pubkey=/custom/public.key
3. Use certificate-manager tool to generate csr (this required only for creating necessary config files we would use in the next step)
4. Go to /var/tmp/vmware and locate certool.cfg. This file contains necessary information for creating CSR. Edit it if necessary.
5. Go to /usr/lib/vmware-vmca/bin and run the following command
./certool --gencsr --privkey /custom/private.key --pubkey /custom/public.key --csrfile /custom/vmca_issued_csr.csr --config /var/tmp/vmware/certool.cfg
This command will create csr based on the configuration file from the previous step.
From this point on you can follow the official guide and be happy, as our custom-created CSR will contain necessary info.
After replacing all the certificates you would probably notice that VAMI cert would not get changed. This issue is know and has it's own KB.
I hope someone will find this useful.
Когда я выпускал сертификат тоже сталкивался с чем-то подобным. Проблема была в том, что было два как-бы корневых сертификата в диспетчере сертификатов Windows. И я выбирал не верный. Как только использовал другой все заработало. Версия 6.0. была.
When I issued the certificate, I also encountered something similar. The problem was that there were two like-root certificates in the Windows Certificate Manager. And I did not choose the right one. Once I used another certificate, it all worked. The version was 6.0.
Hi,
As far as I understand you are talking about windows-based vCenter. If you really are, your solution is not working for me as I'm using vCSA.
Hi!
If I understand you correctly you are trying to make your VMCA as sub ca.
If so I wouldn't recommend to make this configuration at all. Generally speaking VMware doesn't recommend to do this as well.
Read several good articles
New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement - VMware vSphere Blog and Replacing vCenter 6.0’s SSL Certificate
and the article https://haveyoutriedreinstalling.com/2017/07/17/vsphere-6-x-certificates-just-because-you-can-doesnt...
No. I'm not talking about windows-based vCenter.
Screenshot of the article referenced by Finikiez (https://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-ins...😞
Here in this place I chose the wrong certificate. As a result, my certificate in the PSC was not replaced.
Contact VMware support as this is a known issue and a workaround is available, the fix will most likely be in 6.5 U2 and 6.0 Patch 7.
Guys, thank you all for your responses. I've managed to manually create private-public key pairs and create csr with all necessary data. But I didn't find a way to make vCenter do it on my behalf.
Goal:
Issue CSR that would contain custom information
Task sequence:
1. Go to /usr/lib/vmware-vmca/bin and locate certool
2. Issue private/public key pair using the following command (I've created folder /custom beforeahead)
./certool --genkey --privkey=/custom/private.key --pubkey=/custom/public.key
3. Use certificate-manager tool to generate csr (this required only for creating necessary config files we would use in the next step)
4. Go to /var/tmp/vmware and locate certool.cfg. This file contains necessary information for creating CSR. Edit it if necessary.
5. Go to /usr/lib/vmware-vmca/bin and run the following command
./certool --gencsr --privkey /custom/private.key --pubkey /custom/public.key --csrfile /custom/vmca_issued_csr.csr --config /var/tmp/vmware/certool.cfg
This command will create csr based on the configuration file from the previous step.
From this point on you can follow the official guide and be happy, as our custom-created CSR will contain necessary info.
After replacing all the certificates you would probably notice that VAMI cert would not get changed. This issue is know and has it's own KB.
I hope someone will find this useful.
Hello All
This is known issue with latest version of both 6.0 and 6.5 where certool will not take the custom values and will generate the csr based on the defaults values and will be fixed in next major release of 6.0 and 6.5
Regards
Yuvaraj