Looks like Using the Certificate Manager Utility in vSphere 6.0 does not utilize the Certool.cfg for CSR generation (2129706) describes the issue, however it suggests the problem was fixed. Regardless, the alternate syntax worked.
I have the exact same problem trying to generate the CSR in the latest 6.5 U1e version. I have a case open with VMware, but in the mean time I will try this work around in the morning. Thanks!
1 person found this helpful
Update: It appears to be an issue with the script creating the pubkey file. I don't see the pubkey file when it runs through these commands at the end of exporting the CSR file. I do see the vmca_issued_key.key and vmca_issued_csr.csr, but the csr are default values like your issue.
End of the certificate-manager log file:
2018-01-27T15:53:18.812Z INFO certificate-manager Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/tmp/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2018-01-27T15:53:18.952Z INFO certificate-manager Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsr', '--privkey', '/tmp/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/tmp/vmca_issued_csr.csr']
2018-01-27T15:53:19.17Z INFO certificate-manager CSR generated at: /tmp/vmca_issued_csr.csr
If I run these commands manually the CSR contains the correct info:
/usr/lib/vmware-vmca/bin/certool --genkey --privkey=/tmp/vmca_issued_key.key --pubkey=/tmp/pubkey.pub
/usr/lib/vmware-vmca/bin/certool --gencsr --privkey=/tmp/vmca_issued_key.key --pubkey=/tmp/pubkey.pub --config=/var/tmp/vmware/certool.cfg --csrfile=/tmp/vmca_issued_csr.csr
Just make sure you update the certool.cfb file first
I guess I will take the manual route for now.