Using the Certificate Manager Utility in vSphere 6.0 does not utilize the Certool.cfg for CSR generation
Article ID: 341802
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
When generating Certificate Signing Requests (CSRs) and the private key pair for the Machine SSL certificate or the Solution user certificates, after modifying the /usr/lib/vmware-vmca/share/config/certool.cfg file or C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file, you experience these symptoms:
When generating Certificate Signing Requests (CSRs) and the private key pair for the Machine SSL certificate or the Solution user certificates, after modifying the /usr/lib/vmware-vmca/share/config/certool.cfg file or C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file, you experience these symptoms:
- The certificates generated from the CSR are identical to the SSL certificates previously used on the vCenter Server or Platform Services Controller
- The certificates generated do not adhere to the information provided in the certool.cfg configuration for the vCenter Server or Platform Services Controller
- Per the /var/log/vmware/vmcad/certificate-manager.log file or C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log file, you see entries similar to:
YYYY-MM-DDT<time>Z INFO certificate-manager Selected operation: Replace VMCA Root certificate with Custom CA Certificate and replace all certificates (signed by Custom CA root</time>
YYYY-MM-DDT<time>Z INFO certificate-manager Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
YYYY-MM-DDT<time>Z INFO certificate-manager Generating key
YYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--genkey', '--privkey', 'C:\\certs\\root_signing_cert.key', '--pubkey', 'c:\\users\\admini~1\\appdata\\local\\temp\\1\\pubkey.pub']
YYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--gencsrfromcert', '--privkey', 'C:\\certs\\root_signing_cert.key', '--cert', 'C:\\ProgramData\\VMware\\vCenterServer\\data\\vmca\\root.cer', '--csrfile', 'C:\\certs\\root_signing_cert.csr']
YYYY-MM-DDT<time>Z INFO certificate-manager CSR generated at: C:\certs\root_signing_cert.csr</time></time></time></time></time>
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
YYYY-MM-DDT<time>Z INFO certificate-manager Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
YYYY-MM-DDT<time>Z INFO certificate-manager Generating key
YYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--genkey', '--privkey', 'C:\\certs\\root_signing_cert.key', '--pubkey', 'c:\\users\\admini~1\\appdata\\local\\temp\\1\\pubkey.pub']
YYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--gencsrfromcert', '--privkey', 'C:\\certs\\root_signing_cert.key', '--cert', 'C:\\ProgramData\\VMware\\vCenterServer\\data\\vmca\\root.cer', '--csrfile', 'C:\\certs\\root_signing_cert.csr']
YYYY-MM-DDT<time>Z INFO certificate-manager CSR generated at: C:\certs\root_signing_cert.csr</time></time></time></time></time>
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.0.x
Cause
This issue occurs due to the Certificate Manager utility performing a --gencsrfromcert call against the existing certificate(s) of the vCenter Server or Platform Services Controller. This operation results in the CSR and private key pair generated to be identical to the original SSL certificate(s) that was previously in use, ensuring that the hostname and IP address used in the certificate match the Host OS of the system.
Resolution
This issue is resolved in VMware vCenter Server 6.0 U2, available at VMware Downloads.
Prior to this release, the Certificate Manager does not utilize the certool.cfg.
If you do not want to upgrade, you can work around this limitation by manually generating the CSR, private key and public key pairs via the certool.
- Create a copy of certool.cfg, and rename it.
For example:
certool_acme.cfg
- Modify the certool_acme.cfg to match the hostname of your existing system using a text editor. Use the example below as a model:
#
# Template file for a CSR request
#
# Country is needed and has to be 2 characters
Country = US
Name = vCenterServer
Organization = VMware
OrgUnit = VMware Global Support Service
State = Indiana
Locality = Indianapolis
IPAddress = 10.0.1.10
Email = [email protected]
Hostname = vcenter.vmware.local
Leverage the vmafd-cli to get exact PNID of your system for use in Hostname field of the configuration file. The case should match exactly between what is output and what is put into the configuration file.
Use the example below as a model:Appliance:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost
Windows:
You see output similar to:
vcenter.vmware.local
- Save the certool_acme.cfg
- Run this command to run certool to generate the CSR, private key and public key:
Appliance:
/usr/lib/vmware-vmca/bin/certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_/certool_acme.cfg
C:\Program Files\VMware\vCenter Server\vmcad\certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_\certool_acme.cfg
Windows:
After you receive the certificate from the CSR and keypair is generated, to implement the certificates using the Certificate Manager utility, see Understanding and using vSphere 6.0 Certificate Manager (2097936).
Additional Information
To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple DNS names:
How to use vSphere 6.x Certificate Manager
Using certool to generate CSRs that include multiple DNS names for one host
vSphere 6.0 の Certificate Manager Utility を使用しても CSR 生成に Certool.cfg が使用されない
- Create a copy of certool.cfg. Rename it.
For example:
certool_acme.cfg
and include multiple comma-separated host names.
For example:
Hostname = vcenter.vmware.com,vcenter_private.vmware.com
- Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr:
certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg
To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple Subject names:
For more information on certool, see the certool Initialization Commands Reference in the vSphere Security Guide .- Create a copy of certool.cfg. Rename it.
For example:
certool_acme.cfg
and include multiple comma-separated Subject Name.
For example:
Name = vcenter.vmware.com,vCenterServer
- Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr:
certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg
How to use vSphere 6.x Certificate Manager
Using certool to generate CSRs that include multiple DNS names for one host
vSphere 6.0 の Certificate Manager Utility を使用しても CSR 生成に Certool.cfg が使用されない
Feedback
Yes
No
Powered by
