OPERATIONAL DEFECT DATABASE
...
...
When generating Certificate Signing Requests (CSRs) and the private key pair for the Machine SSL certificate or the Solution user certificates, after modifying the /usr/lib/vmware-vmca/share/config/certool.cfg file or C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg file, you experience these symptoms: The certificates generated from the CSR are identical to the SSL certificates previously used on the vCenter Server or Platform Services ControllerThe certificates generated do not adhere to the information provided in the certool.cfg configuration for the vCenter Server or Platform Services ControllerPer the /var/log/vmware/vmcad/certificate-manager.log file or C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log file, you see entries similar to: YYYY-MM-DDT<time>Z INFO certificate-manager Selected operation: Replace VMCA Root certificate with Custom CA Certificate and replace all certificates (signed by Custom CA root</time>YYYY-MM-DDT<time>Z INFO certificate-manager Please provide a directory location to write the CSR(s) and PrivateKey(s) to:YYYY-MM-DDT<time>Z INFO certificate-manager Generating keyYYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--genkey', '--privkey', 'C:\\certs\\root_signing_cert.key', '--pubkey', 'c:\\users\\admini~1\\appdata\\local\\temp\\1\\pubkey.pub']YYYY-MM-DDT<time>Z INFO certificate-manager Running command: ['C:\\Program Files\\VMware\\vCenter Server\\vmcad\\certool.exe', '--gencsrfromcert', '--privkey', 'C:\\certs\\root_signing_cert.key', '--cert', 'C:\\ProgramData\\VMware\\vCenterServer\\data\\vmca\\root.cer', '--csrfile', 'C:\\certs\\root_signing_cert.csr']YYYY-MM-DDT<time>Z INFO certificate-manager CSR generated at: C:\certs\root_signing_cert.csr</time></time></time></time></time>Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
This issue occurs due to the Certificate Manager utility performing a --gencsrfromcert call against the existing certificate(s) of the vCenter Server or Platform Services Controller. This operation results in the CSR and private key pair generated to be identical to the original SSL certificate(s) that was previously in use, ensuring that the hostname and IP address used in the certificate match the Host OS of the system.
This issue is resolved in VMware vCenter Server 6.0 U2, available at VMware Downloads. Prior to this release, the Certificate Manager does not utilize the certool.cfg. If you do not want to upgrade, you can work around this limitation by manually generating the CSR, private key and public key pairs via the certool. Create a copy of certool.cfg, and rename it. For example: certool_acme.cfg Modify the certool_acme.cfg to match the hostname of your existing system using a text editor. Use the example below as a model: # # Template file for a CSR request # # Country is needed and has to be 2 characters Country = US Name = vCenterServer Organization = VMware OrgUnit = VMware Global Support Service State = Indiana Locality = Indianapolis IPAddress = 10.0.1.10 Email = support@vmware.com Hostname = vcenter.vmware.local Leverage the vmafd-cli to get exact PNID of your system for use in Hostname field of the configuration file. The case should match exactly between what is output and what is put into the configuration file. Use the example below as a model: Appliance: /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost Windows: C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-pnid --server-name localhost You see output similar to: vcenter.vmware.local Save the certool_acme.cfg Run this command to run certool to generate the CSR, private key and public key: Appliance: /usr/lib/vmware-vmca/bin/certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_/certool_acme.cfg Windows: C:\Program Files\VMware\vCenter Server\vmcad\certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=path_to_\certool_acme.cfg After you receive the certificate from the CSR and keypair is generated, to implement the certificates using the Certificate Manager utility, see Understanding and using vSphere 6.0 Certificate Manager (2097936).
To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple DNS names: Create a copy of certool.cfg. Rename it. For example: certool_acme.cfg and include multiple comma-separated host names. For example: Hostname = vcenter.vmware.com,vcenter_private.vmware.com Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr: certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg To generate a CSR for a Platform Services Controller or vCenter Server that might be reachable through multiple Subject names: Create a copy of certool.cfg. Rename it. For example: certool_acme.cfg and include multiple comma-separated Subject Name. For example: Name = vcenter.vmware.com,vCenterServer Run certool to generate the CSR. Because of an issue with --gencert, use --initcsr: certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg For more information on certool, see the certool Initialization Commands Reference in the vSphere Security Guide .How to use vSphere 6.x Certificate ManagerUsing certool to generate CSRs that include multiple DNS names for one hostvSphere 6.0 の Certificate Manager Utility を使用しても CSR 生成に Certool.cfg が使用されない
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
