Manually Generate CSR and Key for Custom Machine Certificate using .cfg file through vCenter command line
search cancel

Manually Generate CSR and Key for Custom Machine Certificate using .cfg file through vCenter command line

book

Article ID: 385827

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

This article provide steps on how to generate a CSR and Key through vCenter Server command line for Custom Machine Certificate  

Environment

  • VMware vCenter Server Appliance 7.0 
  • VMware vCenter Server Appliance 8.0 

Resolution

Below steps are an alternate method to generating a CSR and Key for Custom Machine Certificate :

 

** Take a valid file-based backup or snapshot of the vCenter Server (offline snapshots if in Enhanced Linked Mode environment) prior to making any changes.

 

Steps to Generate new CSR and Key manually through vCenter command line:

 

1. Log into vCenter Server through SSH session as root and run shell 

2. Create a new file 

Run following command to create the new file: vi /tmp/newcert.cfg

3. Copy and paste the below into this newcert.cfg file and customize the subjectAltName and everything in the 3rd section highlighted in Bold 
 
[ req ]
 distinguished_name = req_distinguished_name
 encrypt_key = no
 prompt = no
 string_mask = nombstr
 req_extensions = v3_req
 
 
 [ v3_req ]
 basicConstraints = CA:false
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth
subjectAltName = DNS:vCenter-FQDN IP:vCenter-IP
 
 
 
[ req_distinguished_name ]
 countryName = IE
 stateOrProvinceName = Cork
 localityName = Cork
 0.organizationName = VMware
 organizationalUnitName = vTSU
 commonName = vCenter-FQDN   

 

4. Save the file: Press "Esc" then type ":wq!" and press "enter"
 

5. Now we can generate CSR request and key by running below command:
 
openssl req -new -nodes -out /root/newcert.csr -newkey rsa:2048 -keyout /root/newcert.key -config /tmp/newcert.cfg

 

Note: RSA key size (2048) can be changed from 2048 bits (minimum) to 16384 bits (maximum). 

Please see following article for more information on this: Certificate Requirements for Different Solution Paths

 

6. Key and CSR should now be present in /root/ directory

7. You can now extract these two files using something like WinSCP, provide the CSR to your CA to receive your Custom Certificate 

 

Please find following KB on further steps in updating custom machine certificate:  Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate