Is it possible to add multiple OUs to a CSR genera...

scjohnson · ‎05-04-2021

A pretty silly/basic question, but I am working on generating CSRs for custom certificates for two separate VCSAs on two different domains. I am required to use three separate OUs before providing the CSR to the CA. Is there a way that I can do that in the vSphere Certificate Manager? I only see 1 total field.

A little offtopic, but is it possible to also create the ESXi (not vCenter) CSRs on a single computer by just updating the CN/hostname to the specific device during CSR creation? For example if I were required to generate 8 ESXi CSRs, can I do all 8 on my desktop? None of the information seems like it'd be specific to the device, so it seems like that'd be ok, but it's a lot of work to submit these CSRs so I want to ensure I'm doing it correctly. I am using this (https://kb.vmware.com/s/article/2113926) as a guide.

virtualinca · ‎05-05-2021

Hi,

you can do following:

a. VCSA with 3 separate OU:

1. create OpenSSL conf file: vi openssl.cfg

2. in openssl.cfg type following:

default_keyfile = vcsa.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = IP: 127.0.0.1, DNS:vcsa.vsphere.local

[ req_distinguished_name ]
countryName = DE
stateOrProvinceName = BY
localityName = MUNICH
0.organizationName = MyCompany
OU= Organizations
0.organizationalUnitName = MyOU1
1.organizationalUnitName = MyOU2
2.organizationalUnitName = MyOU3
commonName = vcsa

3. create csr and key with following command:

openssl req -new -nodes -out vcsa.csr -keyout vcsa.key -config openssl.cfg

4. show output of created csr:

user1@linux01:~ $ openssl req -noout -text -in vcsa.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=DE, ST=BY, L=MUNICH, O=MyCompany, OU=Organizations, OU=MyOU1, OU=MyOU2, OU=MyOU3, CN=vcsa
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:43:0b:d4:59:ed:9f:95:d5:39:fc:d0:74:27:
e8:5e:85:c6:67:77:81:47:5a:69:9c:95:15:50:84:
99:49:64:d1:f9:b0:89:08:09:55:f9:0b:2f:18:ef:
70:0f:1b:31:38:47:c0:89:76:c4:f2:1e:72:4f:30:
a8:84:e3:c4:a7:8a:46:c6:7f:dc:c6:24:1a:e9:c8:
38:69:96:fa:26:22:00:f1:35:5e:72:a5:fd:6b:eb:
3f:c5:d3:59:57:3f:69:0e:97:2e:0c:51:14:8a:25:
b7:a6:ca:81:60:ae:4e:c9:e4:98:f4:8c:05:68:59:
d6:be:7a:00:d3:a9:d2:bc:33:c0:ec:64:39:d1:a9:
72:54:b9:cd:f5:cf:c8:39:90:a1:c4:18:ca:4d:d6:
c4:04:3b:8b:e5:84:43:d9:99:a7:87:c4:93:8c:c5:
3b:c6:18:c6:da:39:2a:a2:22:42:f7:45:d5:c5:e7:
f3:3f:cf:9f:15:34:3d:6b:84:ac:c4:27:c1:c5:69:
97:0e:22:9a:5e:be:6a:f9:c3:b4:f3:7f:3d:73:05:
e9:fb:4f:c8:3c:a1:1c:22:f4:39:fa:4f:1d:15:ed:
a6:95:f3:80:fe:f2:fc:c9:2e:9d:b8:31:07:db:8a:
1a:d2:c5:e0:5b:51:4a:b4:67:55:55:11:25:eb:ff:
15:a9
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, DNS:vcsa.vsphere.local
Signature Algorithm: sha256WithRSAEncryption
02:f3:b1:f0:84:37:f0:48:46:22:91:6e:d7:e3:7d:1b:0e:68:
c1:aa:2b:a4:41:55:34:dc:a3:77:3a:2c:e0:78:9a:bf:2f:be:
29:5a:2a:57:90:96:6a:be:13:49:b7:44:ca:58:86:7a:0a:5d:
2e:a8:70:40:57:6c:51:4a:f1:86:29:f5:88:14:b3:03:b0:db:
61:f4:00:10:3b:31:a7:48:2f:3b:d5:51:fb:71:cb:c0:f5:02:
25:2e:01:66:d4:a1:be:47:ec:53:6f:d0:d5:66:6c:9c:35:ac:
f6:c5:f9:f7:b9:04:98:b3:58:71:ff:ee:c8:ce:e4:8d:a9:bc:
b5:9a:88:a0:b2:44:83:14:1e:59:ad:3c:0c:37:c1:e3:d5:d7:
da:8f:b1:64:b3:76:a9:f3:72:bc:13:29:de:0b:cb:4e:18:3b:
d3:c5:ce:4f:ed:ae:33:8f:38:18:9f:09:46:e2:c2:11:33:f1:
79:b7:1b:00:b7:31:f2:41:98:c6:53:a2:46:dc:4c:7f:5d:69:
6f:8c:be:e9:57:c2:95:e4:a3:2f:39:a4:ae:2f:f6:c4:79:e6:
c7:4f:8b:ab:cc:38:c9:61:92:37:b8:d0:db:01:28:27:b9:3b:
0c:fe:0b:bd:20:38:7f:3a:cb:d2:7e:54:a9:a9:c9:aa:f6:ba:
a0:1e:f3:54

so, you'll see that 3 OU's are within your csr.

b. generate 8 ESXi CSRs:

You can create as many CSR's you like on your workstation or some other server with OpenSSL installed on it. You'll have to change IPs, DNS in subjectAltName as well as commonName within your openssl.cfg so at the end, you are going to have 8 different CSR's you want to provide to your CA.

Hope this helps. If yes give kudo 😉

scjohnson · ‎05-07-2021

I ended up doing a bit more research on this. I figured out how to create multiple OUs in the Certificate Manager on the web interface by entering my OUs as: Org1NameHere\OU=Org2NameHere\OU=OrgName3Here. Unfortunately, once I finally got it inputted, I was never provided the private key for the CSR, only the CSR text. I read online how to SSH and download the private key from my vCenter, but the checksum did not match when comparing the CSR to the private key I downloaded. I ended up creating a CSR on the CLI version of VCSA (/usr/lib/vmware-vmca/bin/certificate-manager), and the private key/csr from those DID have a matching checksum. I am planning to use the CLI instead of the GUI for now. However, even using the CLI tool, I am seeing that the key attributes on the CSR are missing the required elements, so even that may not be correct.

Your recommendation on the VCSA CSR looks nearly identical to the VMware guidance for creating a CSR for an ESXi. I ended up creating a similar .cfg file, but I simply deleted the "OU= Organizations" line out of your config, as it was unnecessary and resulted in a weird format when I decoded the CSR in OpenSSL. If I went with this route, I'd also probably align my key usages with they have listed in the requirements

All

Is it possible to add multiple OUs to a CSR generated through Certificate Manager?