VMware Cloud Community
zenking
Hot Shot
Hot Shot
‎02-21-2020 12:24 PM
Jump to solution

Create new csr for vCenter ssl cert

I'm stuck in some kind of certificate netherworld.  I've run certificate manager to create a new key and csr per these instructions, choosing options 1 and 1.

https://samsig.dk/getting-a-valid-certificate-on-your-vmware-vsphere-vcenter-6-7/

When I use our certificate portal and pasted my csr into the certificate csr field, I got a message that the alternative email is invalid. The portal itself has a required email field, so I decided to go back through the cert setup and leave the email blank. The setup wants to use the existing certool.cfg or quit. I ran through it and tried to overwrite the email entry with a blank, but that didn't work. I tried to use the certool command to overwrite the email entry with a blank, but I get an error when I try to do that. I renamed the certool.cfg file in the config folder to .old, but the certificate manager still sees all of the previous info that I entered, including the email entry I want to ditch.

Is there another certool.cfg file that I need to look for somewhere? Should I delete the one that I renamed? Any other options?

Thanks.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
zenking
Hot Shot
Hot Shot
‎02-25-2020 06:32 AM
Jump to solution

It turns out that our certificate portal can only be used to create single domain certificates, and email addresses in the csr apparently imply multi domain certificate. One of the people in our campus software office had to create the request for me, so I was able to get my certificate.

Thanks for the responses.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.

View solution in original post

0 Kudos
5 Replies
Alex_Romeo
Leadership
Leadership
‎02-21-2020 01:08 PM
Jump to solution

Hi,

You need to generate a new certificate with this procedure:

Generate Certificate Signing Request for Machine SSL Certificate Using the vSphere Client (Custom Ce...

pag. 96 in the attached

Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)

pag. 107 in the attached

ARomeo

Blog: https://www.aleadmin.it/
Preview file
1090 KB
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-21-2020 01:54 PM
Jump to solution

Thanks. The "Generate CSR" task is requiring an email address. Also, even though the IP field says optional, the Next button does not respond unless I put in an IP. I went ahead and did all that to create the CSR, but my cert portal gave me the same error messages.

I'll contact the certificate portal support and see what they say.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
Alex_Romeo
Leadership
Leadership
‎02-21-2020 02:06 PM
Jump to solution

Hi,

yes, it seems like a good idea.

if you then write how you solve it, it can be useful to other people. Thank you.

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos
zenking
Hot Shot
Hot Shot
‎02-25-2020 06:32 AM
Jump to solution

It turns out that our certificate portal can only be used to create single domain certificates, and email addresses in the csr apparently imply multi domain certificate. One of the people in our campus software office had to create the request for me, so I was able to get my certificate.

Thanks for the responses.

VMWare Environment: vSphere 7.0, EQ PS6210 SANs, Dell R730 Hosts, dedicated Dell switches w/ separate vlans for vmotion and iscsi.
0 Kudos
Alex_Romeo
Leadership
Leadership
‎02-25-2020 06:37 AM
Jump to solution

Well!

ARomeo

Blog: https://www.aleadmin.it/
0 Kudos