Certificate Authority does not accept email address in the CSR to generate custom certificate
book
Article ID: 370244
calendar_today
Updated On:
Products
VMware vCenter ServerVMware vCenter Server 7.0VMware vCenter Server 8.0VMware vCenter Server 6.0
Issue/Introduction
While creating CSR from vcenter , the SAN fields consists of the email address by default
This values are taken from certool.cfg, located in the/usr/lib/vmware-vmca/share/config/directory
Certificate Authority does not accept email address in the CSR.
Environment
VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x
Resolution
Run this CLI script: /usr/lib/vmware-vmca/bin/certificate-manager and choose option 1 to "Replace Machine SSL certificate with Custom Certificate"
Enter Option 1 to "Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
Follow all the prompts for the location, org, FQDN, etc. It will prompt for an email, just hit enter. Once complete, it should have generated a CSR and private key. Ignore these, as they likely contain the default "email@acme" address which we don't want.
The options chosen should be saved to "/var/tmp/vmware/certool.cfg"
Edit this file with a text editor, and you should see something like:
root@vcenter [ /usr ]# cat /var/tmp/vmware/certool.cfg Country = US Name = CA Organization = VMware OrgUnit = TAM State = Colorado Locality = Denver #IPAddress = Email = [email protected] Hostname = vcenter.test.com
Delete the line containing "Email", so the file looks like: root@vcenter [ /usr ]# cat /var/tmp/vmware/certool.cfg Country = US Name = CA Organization = VMware OrgUnit = TAM State = Colorado Locality = Denver #IPAddress = Hostname = vcenter.test.com
Re-run the /usr/lib/vmware-vmca/bin/certificate-manager tool, and use the same options as last time. Though, since it has been run once, it will prompt you, stating that certool.cfg has already been defined, and will ask if you want to reconfigure. Answer "No" and it should use the contents of the above file to generate a new CSR and private key pair.
Validate the CSR does not have the email field present: openssl req -in /tmp/vmca_issued_csr.csr -noout -text | grep -i email