Certificate Authority does not accept email address in the CSR to generate custom certificate
search cancel

Certificate Authority does not accept email address in the CSR to generate custom certificate

book

Article ID: 370244

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vCenter Server 6.0

Issue/Introduction

While creating CSR from vcenter , the SAN fields consists of the email address by default

This values are taken from certool.cfg, located in the/usr/lib/vmware-vmca/share/config/directory 

Certificate Authority does not accept email address in the CSR. 

Environment

  • VMware vCenter Server 8.0.x
  • VMware vCenter Server 7.0.x
  • VMware vCenter Server Appliance 6.5.x
  • VMware vCenter Server Appliance 6.7.x
  • VMware vCenter Server 6.7.x
  • VMware vCenter Server 6.5.x

Resolution

  • Run this CLI script: /usr/lib/vmware-vmca/bin/certificate-manager and choose option 1 to "Replace Machine SSL certificate with Custom Certificate"
  • Enter Option 1 to "Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

  • Follow all the prompts for the location, org, FQDN, etc. It will prompt for an email, just hit enter. Once complete, it should have generated a CSR and private key. Ignore these, as they likely contain the default "email@acme" address which we don't want.

  • The options chosen should be saved to "/var/tmp/vmware/certool.cfg"
  • Edit this file with a text editor, and you should see something like:

root@vcenter [ /usr ]# cat /var/tmp/vmware/certool.cfg
Country = US
Name = CA
Organization = VMware
OrgUnit = TAM
State = Colorado
Locality = Denver
#IPAddress =
Email = [email protected]
Hostname = vcenter.test.com

Delete the line containing "Email", so the file looks like:
root@vcenter [ /usr ]# cat /var/tmp/vmware/certool.cfg
Country = US
Name = CA
Organization = VMware
OrgUnit = TAM
State = Colorado
Locality = Denver
#IPAddress =
Hostname = vcenter.test.com

  • Re-run the /usr/lib/vmware-vmca/bin/certificate-manager tool, and use the same options as last time. Though, since it has been run once, it will prompt you, stating that certool.cfg has already been defined, and will ask if you want to reconfigure. Answer "No" and it should use the contents of the above file to generate a new CSR and private key pair.
  • Validate the CSR does not have the email field present:
    openssl req -in /tmp/vmca_issued_csr.csr -noout -text | grep -i email