OPERATIONAL DEFECT DATABASE
...
...
Replacing the VMCA certificate on vCenter Server 6.0 Update 2 with a subordinate CA certificate fails.In the Certificate Manager Utility, you see the error:Error Message : Not a CA Cert In the certificate-manager.log file, you see entries similar to:YYYY-MM-DDT<time> INFO certificate-manager Replacing Root Cert using Custom CA...</time>YYYY-MM-DDT<time> INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/tmp/root_signing_chain.cer', '--privkey', '/tmp/vmca_issued_key.key', '--server', 'localhost']</time>YYYY-MM-DDT<time> INFO certificate-manager Command output :-</time>Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : FailedError Code : 70011Error Message : Not a CA CertYYYY-MM-DDT<time> ERROR certificate-manager Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed</time>Error Code : 70011Error Message : Not a CA CertYYYY-MM-DDT<time> ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.</time>YYYY-MM-DDT<time> ERROR certificate-manager {</time>"resolution": null,"detail": [{"args": ["Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed\nError Code : 70011\nError Message : Not a CA Cert\n"],"id": "install.ciscommon.command.errinvoke","localized": "An error occurred while invoking external command : 'Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed\nError Code : 70011\nError Message : Not a CA Cert\n'","translatable": "An error occurred while invoking external command : '%(0)s'"},"Error while performing certool rootca command"],"componentKey": null,"problemId": null}YYYY-MM-DDT<time> INFO certificate-manager Performing rollback of Root Cert...</time>The certificate-manager.log file is located at: Windows vCenter Server: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log vCenter Server Appliance: /var/log/vmware/vmcad/certificate-manager.logNote: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. Running this command returns CA:FALSE:vCenter Server Appliance:openssl x509 -in root_signing_cert.cer -text -noout | grep CA\:Windows vCenter Server:"C:\Program Files\VMware\vCenter Server\openSSL\openssl" x509 -in C:\Certs\root_signing_cert.cer -text -noout | findstr CA: Running the openssl req -in /tmp/vmca_issued_csr.csr -noout -text | grep -A4 "Requested Extensions" command on the vCenter Server Applaince displays:Requested Extensions:X509v3 Subject Alternative Name:email:email@acme.com, DNS:vcsa.domain.comX509v3 Subject Key Identifier:0A:28:33:A7:44:EB:2D:C8:88:48:C0:4E:C5:6E:F2:82:6E:EF:D1:CC
This issue occurs when an incorrect signing request (CSR) is generated by the Certificate Manager Utility for the root signing certificate in vCenter Server 6.0 Update 2. Notes: In 6.0 Update 1b and earlier, the CSR is generated by copying the attributes from the default existing root cert of the VMCA which already has the required extensions on the certificate.In 6.0 Update 2, the CSR is generated using a *.cfg file to specify company data as part of the Subject of the VMCA Root. This change has not considered the required fields of VMCA Signing Certificate, which results in the CSR not including the Key Usage and CA:True values. Note: For more information on key usage go to the additional information section below.
This is a known issue affecting vCenter Server 6.0 Update 2. To workaround this issue, manually generate the CSR using OpenSSL: Windows vCenter Server: Connect to vCenter Server.Navigate to C:\Certs\ and create blank text file named vmca_root.cfg.Add this template to the file:[ req ]default_bits = 2048default_keyfile = rui.keydistinguished_name = req_distinguished_nameencrypt_key = noprompt = nostring_mask = nombstrreq_extensions = v3_req[ v3_req ]basicConstraints = CA:TRUEkeyUsage = keyCertSign, cRLSignsubjectAltName = @alt_names[ req_distinguished_name ]countryName = USstateOrProvinceName = NYlocalityName = New York0.organizationName = VMWareorganizationalUnitName = VMCAcommonName = vcsa.domain.comemailAddress = user@company.com[alt_names]DNS.1 = vcsa.domain.comIP.1 = IP_AddressNote: The subjectAltName, alt_names, DNS and IP fields are optional. Create the CSR using this command:openssl req -days 365 -new -newkey rsa:2048 -keyout C:\Certs\vmca.key -out C:\Certs\vmca.csr -config C:\Certs\vmca_root.cfgNote: Change the number of days if a different expiration date is required. Provide the resulting vmca.csr to the CA for certificate creation. vCenter Server Appliance: Connect to the vCenter Server Appliance.Navigate to /tmp/.Create the vmca_root.cfg file with this command:touch vmca_root.cfg Open the vmca_root.cfg using a text editor:vi vmca_root.cfg Add this template to the file:[ req ]default_bits = 2048default_keyfile = rui.keydistinguished_name = req_distinguished_nameencrypt_key = noprompt = nostring_mask = nombstrreq_extensions = v3_req[ v3_req ]basicConstraints = CA:TRUEkeyUsage = keyCertSign, cRLSignsubjectAltName = @alt_names[ req_distinguished_name ]countryName = USstateOrProvinceName = NYlocalityName = New York0.organizationName = VMWareorganizationalUnitName = VMCAcommonName = vcsa.domain.comemailAddress = user@company.com[alt_names]DNS.1 = vcsa.domain.comIP.1 = 192.168.1.2Note: The subjectAltName, alt_names, DNS and IP fields are optional. Create the CSR using this command:openssl req -days 365 -new -newkey rsa:2048 -keyout /tmp/vmca.key -out /tmp/vmca.csr -config /tmp/vmca_root.cfgNote: Change the number of days if a different expiration date is required. Provide the resulting vmca.csr to the CA for certificate creation.
The certificate signed by the CA's Key Usage is missing the required Certificate Sign and CRL Sign.Run this command to find the Certificate Sign and CRL Sign:openssl x509 -in rui.crt -noout -text | grep 'X509v3 Key Usage' -A1Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0vCenter Server の VMCA 証明書を従属認証局の証明書に置き換えると次のエラーで失敗する:エラー メッセージ: CA 証明書ではありません (Not a CA Cert)将 vCenter Server 的 VMCA 证书替换为从属证书颁发机构证书失败,并显示以下错误:错误消息: 不是 CA 证书 (Error Message: Not a CA Cert)
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
