VMware Cloud Community
soomon
Contributor
Contributor
‎09-13-2017 07:26 AM

trying to replace VMCA certificate with a new certificate - request generation is bugged

hi,

I am trying to replace the root certificate of the VMCA with a subca certificate of our Microsoft Windows CA.

Using the certificate manager on our vcenter server appliance (PSC is embedded):

  • /usr/lib/vmware-vmca/bin/certificate-manager
  • choose option 2 (Replace VMCA Root Certificate...)
  • Using configuration file: Yes

Then it starts asking me for detail information like country, company name and so on. I enter all the information and let it generate the request.

The problem is that it doesn't care what I enter. It always creates a request with the default values:

CN = CA

OU = VMware

O = %hostname%

S = California

DC = local

DC = vsphere

C = US

The only thing it actually changes is the hostname and the resulting certificate obviously also contains the wrong data.

I tried modifying the configuration file and restarting the process. It showed me the correct presets from the config file (country, company name etc were all displayed correctly) but the resulting request still looked like the one above.

What's my mistake?

We are running vSphere 6.5 Update 1.

Thanks,

Steffen

6 Replies
EvgeniyL
Contributor
Contributor
‎09-15-2017 12:16 AM

Hi,

When i change certificate  for VMCA i create folder Cert  in  /tmp 

Launch the certificate-manager utility from /usr/lib/vmware-vmca/bin/certificate-manager and choose options 1 

Note : Use Ctrl-D to exit.

Option[1 to 8]: 1

Please provide valid SSO and VC priviledged user credential to perform certificate operations.

Enter username [Administrator@vsphere.local]:

Enter password:

             1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

             2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 1

Please provide a directory location to write the CSR(s) and PrivateKey(s) to:

Output directory path: /tmp/cert/

0 Kudos
soomon
Contributor
Contributor
‎10-02-2017 01:40 AM

I am sorry but this only solves a part of my problem.

If that works, how do I then replace all the certificates in the VMCA and all ESXi hosts automatically?

0 Kudos
Halo1
Contributor
Contributor
‎10-13-2017 11:03 AM

Did you find a fix , I'm having the same problem

0 Kudos
soomon
Contributor
Contributor
‎10-17-2017 04:11 AM

no, I did not find a fix. it seems this problem only occurs with the update 1 for vsphere 6.5 😕

0 Kudos
andrewr01
Contributor
Contributor
‎02-15-2018 06:44 PM

I also have this problem. Checked the contents of certool.cfg, and the details are correct. But when I generate a csr, I get default values, as above, the only value that is changed is the FQDN of the PSC which shows up under "Organization"!

0 Kudos
andrewr01
Contributor
Contributor
‎02-19-2018 01:03 PM

It appears this has been a bug for a while, was possibly fixed for a while, then returned in 6.5 U1. See this KB: https://kb.vmware.com/s/article/2129706https://kb.vmware.com/s/article/2129706

Another user had a fix:

Certificate configuration in vcsa 6.5.0 7119157

initcsr is deprecated, so it is probably best to use the example posted by Strickler2210

Cheers,

Andrew

0 Kudos