Certificate Authority does not accept email address in the CSR to generate custom certificate
search cancel

Certificate Authority does not accept email address in the CSR to generate custom certificate

book

Article ID: 370244

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vCenter Server 6.0

Issue/Introduction

  • While creating CSR from vCenter , the SAN fields consist of the email address by default. These values are taken from certool.cfg, located in the /usr/lib/vmware-vmca/share/config/ directory.
  • Certificate Authority does not accept email address in the CSR.

Environment

  • VMware vCenter Server 8.0.x
  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 6.7
  • VMware vCenter Server 6.5

Resolution

  1. Run this CLI script: /usr/lib/vmware-vmca/bin/certificate-manager and choose Option 1 to "Replace Machine SSL certificate with Custom Certificate"

  2. Enter Option 1 to "Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate"

  3. Follow all the prompts for the location, org, FQDN, etc. It will prompt for an email, just hit enter. Once complete, it should have generated a CSR and private key. Ignore these, as they likely contain the default "email@acme" address which we don't want.

  4. The options chosen should be saved to "/var/tmp/vmware/certool.cfg"

  5. Edit this file with a text editor:

    vi /var/tmp/vmware/certool.cfg

    Country = <country_name>
    Name = <name>
    Organization = <organisation_name>
    OrgUnit = <Organisation_unit_name>
    State = <state_name>
    Locality = <locality_name>
    #IPAddress =
    Email = [email protected]
    Hostname = vcenter.example.com

  6. Delete the line containing "Email". After that Hit ESC key, type :wq! and Hit Enter. The file should look like:

    cat /var/tmp/vmware/certool.cfg

    Country = <country_name>
    Name = <name>
    Organization = <organisation_name>
    OrgUnit = <Organisation_unit_name>
    State = <state_name>
    Locality = <locality_name>
    #IPAddress =
    Hostname = vcenter.example.com

  7. Re-run the /usr/lib/vmware-vmca/bin/certificate-manager tool and use the same options as last time. Though, since it has been run once, it will prompt you, stating that certool.cfg has already been defined, and will ask if you want to reconfigure. Answer "No" and it should use the contents of the above file to generate a new CSR and private key pair.

  8. Validate the CSR does not have the email field present:
    openssl req -in /tmp/vmca_issued_csr.csr -noout -text | grep -i email
Powered by Wolken Software