Search the VMware Knowledge Base (KB)
View by Article ID

Using the Certificate Manager Utility in vSphere 6.0 does not utilize the Certool.cfg for CSR generation (2129706)

  • 3 Ratings

Symptoms

When generating Certificate Signing Requests (CSRs) and the private key pair for the Machine SSL certificate or the Solution user certificates, after modifying the /usr/lib/vmware-vmca/share/config/certool.cfg file or C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file, you experience these symptoms:
  • The certificates generated from the CSR are identical to the SSL certificates previously used on the vCenter Server or Platform Services Controller
  • The certificates generated do not adhere to the information provided in the certool.cfg configuration for the vCenter Server or Platform Services Controller
  • Per the /var/log/vmware/vmcad/certificate-manager.log file or C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log file, you see entries similar to:
YYYY-MM-DDT<Time>Z INFO certificate-manager Selected operation: Replace VMCA Root certificate with Custom CA Certificate and replace all certificates (signed by Custom CA root
YYYY-MM-DDT<Time>Z INFO certificate-manager Please provide a directory location to write the CSR(s) and PrivateKey(s) to: 
YYYY-MM-DDT<Time>Z INFO certificate-manager Generating key 
YYYY-MM-DDT<Time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--genkey', '--privkey', 'C:\\certs\\root_signing_cert.key', '--pubkey', 'c:\\users\\admini~1\\appdata\\local\\temp\\1\\pubkey.pub']
YYYY-MM-DDT<Time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--gencsrfromcert', '--privkey', 'C:\\certs\\root_signing_cert.key', '--cert', 'C:\\ProgramData\\VMware\\vCenterServer\\data\\vmca\\root.cer', '--csrfile', 'C:\\certs\\root_signing_cert.csr']
YYYY-MM-DDT<Time>Z INFO certificate-manager CSR generated at: C:\certs\root_signing_cert.csr
            Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

            Cause

            This issue occurs due to the Certificate Manager utility performing a --gencsrfromcert call against the existing certificate(s) of the vCenter Server or Platform Services Controller. This operation results in the CSR and private key pair generated to be identical to the original SSL certificate(s) that was previously in use, ensuring that the hostname and IP address used in the certificate match the Host OS of the system.

            Resolution

            This issue is resolved in VMware vCenter Server 6.0 U2, available at VMware Downloads.

            Prior to this release, the Certificate Manager does not utilize the certool.cfg.

            If you do not want to upgrade, you can  work around this limitation by manually generating the CSR, private key and public key pairs via the certool.
            1. Create a copy of certool.cfg, and rename it.
              For example:

              certool_acme.cfg

            2. Modify the certool_acme.cfg to match the hostname of your existing system using a text editor. Use the example below as a model:

              #
              # Template file for a CSR request
              #

              # Country is needed and has to be 2 characters
              Country = US
              Name = vCenterServer
              Organization = VMware
              OrgUnit = VMware Global Support Service
              State = Indiana
              Locality = Indianapolis
              IPAddress = 10.0.1.10
              Email = support@vmware.com
              Hostname = vcenter.vmware.local

              Leverage the vmafd-cli to get exact PNID of your system for use in Hostname field of the configuration file. The case should match exactly between what is output and what is put into the configuration file.

              Use the example below as a model:

              Appliance:

              /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

              Windows:

              C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost

              You see output similar to:

              vcenter.vmware.local

            3. Save the certool_acme.cfg
            4. Run this command to run certool to generate the CSR, private key and public key:

              Appliance:

              /usr/lib/vmware-vmca/bin/certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_/certool_acme.cfg

              Windows:

              C:\Program Files\VMware\vCenter Server\vmcad\certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_\certool_acme.cfg
            After you receive the certificate from the CSR and keypair is generated, to implement the certificates using the Certificate Manager utility, see Understanding and using vSphere 6.0 Certificate Manager (2097936).

            Additional Information

            To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple DNS names:
            1. Create a copy of certool.cfg. Rename it.
              For example:

              certool_acme.cfg

              and include multiple comma-separated host names. 
              For example:

              Hostname = vcenter.vmware.com,vcenter_private.vmware.com

            2. Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr:

              certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg

            To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple Subject names:
            1. Create a copy of certool.cfg. Rename it.
              For example:

              certool_acme.cfg

              and include multiple comma-separated Subject Name.
              For example:

              Name = vcenter.vmware.com,vCenterServer

            2. Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr:

              certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg

            See Also

            Request a Product Feature

            To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

            Feedback

            • 3 Ratings

            Did this article help you?
            This article resolved my issue.
            This article did not resolve my issue.
            This article helped but additional information was required to resolve my issue.

            What can we do to improve this information? (4000 or fewer characters)




            Please enter the Captcha code before clicking Submit.
            • 3 Ratings
            Actions
            KB: