hi,
I am trying to replace the root certificate of the VMCA with a subca certificate of our Microsoft Windows CA.
Using the certificate manager on our vcenter server appliance (PSC is embedded):
Then it starts asking me for detail information like country, company name and so on. I enter all the information and let it generate the request.
The problem is that it doesn't care what I enter. It always creates a request with the default values:
CN = CA
OU = VMware
O = %hostname%
S = California
DC = local
DC = vsphere
C = US
The only thing it actually changes is the hostname and the resulting certificate obviously also contains the wrong data.
I tried modifying the configuration file and restarting the process. It showed me the correct presets from the config file (country, company name etc were all displayed correctly) but the resulting request still looked like the one above.
What's my mistake?
We are running vSphere 6.5 Update 1.
Thanks,
Steffen
Hi,
When i change certificate for VMCA i create folder Cert in /tmp
Launch the certificate-manager utility from /usr/lib/vmware-vmca/bin/certificate-manager and choose options 1
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 1
Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /tmp/cert/
I am sorry but this only solves a part of my problem.
If that works, how do I then replace all the certificates in the VMCA and all ESXi hosts automatically?
Did you find a fix , I'm having the same problem
no, I did not find a fix. it seems this problem only occurs with the update 1 for vsphere 6.5 😕
I also have this problem. Checked the contents of certool.cfg, and the details are correct. But when I generate a csr, I get default values, as above, the only value that is changed is the FQDN of the PSC which shows up under "Organization"!
It appears this has been a bug for a while, was possibly fixed for a while, then returned in 6.5 U1. See this KB: https://kb.vmware.com/s/article/2129706https://kb.vmware.com/s/article/2129706
Another user had a fix:
Certificate configuration in vcsa 6.5.0 7119157
initcsr is deprecated, so it is probably best to use the example posted by Strickler2210
Cheers,
Andrew