VMware

 View Only
  • 1.  Updating Machine SSL certificate fails

    Posted 11 days ago

    vcenter version 8u2 build 23504390

    Tring to replace machine certificates issued by our internal CA with  /usr/lib/vmware-vmca/bin/certificate-manager fails with:

    ---

    root@vcsa [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager
                     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                    |                                                                     |
                    |      *** Welcome to the vSphere 8.0 Certificate Manager  ***        |
                    |                                                                     |
                    |                   -- Select Operation --                            |
                    |                                                                     |
                    |      1. Replace Machine SSL certificate with Custom Certificate     |
                    |                                                                     |
                    |      2. Replace VMCA Root certificate with Custom Signing           |
                    |         Certificate and replace all Certificates                    |
                    |                                                                     |
                    |      3. Replace Machine SSL certificate with VMCA Certificate       |
                    |                                                                     |
                    |      4. Regenerate a new VMCA Root Certificate and                  |
                    |         replace all certificates                                    |
                    |                                                                     |
                    |      5. Replace Solution user certificates with                     |
                    |         Custom Certificate                                          |
                    |         NOTE: Solution user certs will be deprecated in a future    |
                    |         release of vCenter. Refer to release notes for more details.|
                    |                                                                     |
                    |      6. Replace Solution user certificates with VMCA certificates   |
                    |                                                                     |
                    |      7. Revert last performed operation by re-publishing old        |
                    |         certificates                                                |
                    |                                                                     |
                    |      8. Reset all Certificates                                      |
                    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
    Note : Use Ctrl-D to exit.
    Option[1 to 8]: 1

    Please provide valid SSO and VC privileged user credential to perform certificate operations.
    Enter username [Administrator@vsphere.local]:administrator@vsphere.local
    Enter password:
             1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

             2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

    Option [1 or 2]: 2

    Please provide valid custom certificate for Machine SSL.
    File : /tmp/vcsa-certificates/vcsa.crt

    Please provide valid custom key for Machine SSL.
    File : /tmp/vcsa-certificates/vcsa.key

    Please provide the signing certificate of the Machine SSL certificate
    File : /tmp/ca-2017.crt

    You are going to replace Machine SSL cert using custom cert
    Continue operation : Option[Y/N] ? : Y

    ERROR: Subject Alternate Name (SAN) is empty in the certificate provided. Please provide a valid certificate with a valid SAN field
    Status : 0% Completed [Operation failed, performing automatic rollback]

    Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

    Performing rollback of Machine SSL Cert...
    Rollback Status : 100% Completed [Rollback completed successfully]

    root@vcsa [ /tmp ]# 

    I created key and crs with openssl:

    openssl req -nodes -newkey rsa:4096 -sha256 -subj "/emailAddress=email@ourfqdn/CN=vsca.fqdn/OU=Our ou/OU=company/L=city/ST=state/C=EE" -keyout vcsa.fqdn.key -out vcsa.fqdn.csr

    I do not even specify SAN. Why it fails with such message=?



  • 2.  RE: Updating Machine SSL certificate fails

    Posted 10 days ago

    The use of CN has been deprecated several years ago, and most CAs automatically copy the CN to a SAN unless it already exists in the CSR. Maybe you want to check whether you CA can be configured to do this.

    Alternatively it should work (not tested) to add the SAN in your request.

    openssl req -nodes -newkey rsa:4096 -sha256 -subj "/emailAddress=email@ourfqdn/CN=vsca.fqdn/OU=Our ou/OU=company/L=city/ST=state/C=EE" -addext "subjectAltName = DNS:vsca.fqdn" -keyout vcsa.fqdn.key -out vcsa.fqdn.csr

    André