Solved: Re: PSC certificate issue

KennyMacCormik · ‎03-02-2018

Hello everyone,

I'm trying to issue sub CA certificate for my Embedded vCSA installation. vCAS version 6.5.0.14100.

/var/tmp/vmware/certool.cfg

Country = RU

Name = vlab-PSC-CA

Organization = vlab

OrgUnit = IT

State = Moscow

Locality = Moscow

IPAddress = <my IP>

Email = <Some email>

Hostname = <My vCSA FQDN>

/var/tmp/vmware/MACHINE_SSL_CERT.cfg

Country = RU

Name = <My vCSA FQDN>

Organization = vlab

OrgUnit = IT

State = Moscow

Locality = Moscow

IPAddress = <my IP>

Email = <Some email>

Hostname = <My vCSA FQDN, My vCSA Hostname>

I'm running

root@<hostname> [ /usr/lib/vmware-vmca/bin ]# ./certificate-manager

Option[1 to 8]: 2

Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y

Please provide valid SSO and VC priviledged user credential to perform certificate operations.

Enter username [Administrator@vsphere.local]:

Enter password:

certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : n

1. Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate

2. Import custom certificate(s) and key(s) to replace existing VMCA Root Signing certificate

Option [1 or 2]: 1

Please provide a directory location to write the CSR(s) and PrivateKey(s) to:

Output directory path: /custom

2018-03-02T09:50:11.492Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/custom/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']

2018-03-02T09:50:11.679Z Done running command

2018-03-02T09:50:11.679Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsrfromcert', '--privkey', '/custom/vmca_issued_key.key', '--cert', '/var/lib/vmware/vmca/root.cer', '--csrfile', '/custom/vmca_issued_csr.csr']

2018-03-02T09:50:11.700Z Done running command

CSR generated at: /custom/vmca_issued_csr.csr

1. Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate

2. Exit certificate-manager

Option [1 or 2]:

As you can see vCSA generates CSR based on existing root certificate (certool', '--gencsrfromcert', '--privkey'), but I've clearly stated that I want to generate based on files (Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y). The result is incorrect CSR. Does anyone knows how to force certificate-manager to respect config file content?

KennyMacCormik · ‎03-15-2018

Guys, thank you all for your responses. I've managed to manually create private-public key pairs and create csr with all necessary data. But I didn't find a way to make vCenter do it on my behalf.

Goal:

Issue CSR that would contain custom information

Task sequence:

1. Go to /usr/lib/vmware-vmca/bin and locate certool

2. Issue private/public key pair using the following command (I've created folder /custom beforeahead)

./certool --genkey --privkey=/custom/private.key --pubkey=/custom/public.key

3. Use certificate-manager tool to generate csr (this required only for creating necessary config files we would use in the next step)

4. Go to /var/tmp/vmware and locate certool.cfg. This file contains necessary information for creating CSR. Edit it if necessary.

5. Go to /usr/lib/vmware-vmca/bin and run the following command

./certool --gencsr --privkey /custom/private.key --pubkey /custom/public.key --csrfile /custom/vmca_issued_csr.csr --config /var/tmp/vmware/certool.cfg

This command will create csr based on the configuration file from the previous step.

From this point on you can follow the official guide and be happy, as our custom-created CSR will contain necessary info.

After replacing all the certificates you would probably notice that VAMI cert would not get changed. This issue is know and has it's own KB.

I hope someone will find this useful.

View solution in original post

IT_pilot · ‎03-02-2018

Когда я выпускал сертификат тоже сталкивался с чем-то подобным. Проблема была в том, что было два как-бы корневых сертификата в диспетчере сертификатов Windows. И я выбирал не верный. Как только использовал другой все заработало. Версия 6.0. была.

When I issued the certificate, I also encountered something similar. The problem was that there were two like-root certificates in the Windows Certificate Manager. And I did not choose the right one. Once I used another certificate, it all worked. The version was 6.0.

http://it-pilot.ru

KennyMacCormik · ‎03-02-2018

Hi,

As far as I understand you are talking about windows-based vCenter. If you really are, your solution is not working for me as I'm using vCSA.

Finikiez · ‎03-02-2018

Hi!

If I understand you correctly you are trying to make your VMCA as sub ca.

If so I wouldn't recommend to make this configuration at all. Generally speaking VMware doesn't recommend to do this as well.

Read several good articles

New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement - VMware vSphere Blog and Replacing vCenter 6.0’s SSL Certificate

and the article https://haveyoutriedreinstalling.com/2017/07/17/vsphere-6-x-certificates-just-because-you-can-doesnt...

IT_pilot · ‎03-02-2018

No. I'm not talking about windows-based vCenter.

Screenshot of the article referenced by Finikiez (https://blogs.vmware.com/vsphere/2015/07/custom-certificate-on-the-outside-vmware-ca-vmca-on-the-ins...😞

Here in this place I chose the wrong certificate. As a result, my certificate in the PSC was not replaced.

http://it-pilot.ru

Scott_T · ‎03-14-2018

Contact VMware support as this is a known issue and a workaround is available, the fix will most likely be in 6.5 U2 and 6.0 Patch 7.

KennyMacCormik · ‎03-15-2018