Using vCenter Appliance to create Certificate CSR with (Subject Alternate Names) SANs in LABs
- Hammad Alam
- Jun 25, 2019
- 3 min read
NSX Manager does not allow you to create CSR with SAN (Subject Alternate Names). These types of certs are useful when you want same cert to be used to server different URL host names. I use vCenter Server Appliance as a quick and handy tool to generate CSRs which are then signed by a lab CA (Microsoft AD based).
SSH to vCenter server and run
/usr/lib/vmware-vmca/bin/certificate-managerroot@vcenter67-1 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@nsxt.local
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 1
Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /var/tmp/vmware/
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : CA] :
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.29.12.149
Enter proper value for 'Email' [Default value : email@acme.com] : halam@vmware.com
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : nsxtmgrvip.nsxt.local,nsxtmgr.nsxt.local,nsxtmgr2.nsxt.local,nsxtmgr3.nsxt.local
Enter proper value for VMCA 'Name' :nsxtmgrvip
2019-03-20T21:25:05.743Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/var/tmp/vmware/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2019-03-20T21:25:07.201Z Done running command
2019-03-20T21:25:07.202Z Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsr', '--privkey', '/var/tmp/vmware/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/var/tmp/vmware/vmca_issued_csr.csr']
2019-03-20T21:25:07.811Z Done running command
CSR generated at: /var/tmp/vmware/vmca_issued_csr.csr
1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate
2. Exit certificate-manager
Option [1 or 2]: 2
root@vcenter67-1 [ ~ ]# cd /var/tmp/vmware/
root@vcenter67-1 [ /var/tmp/vmware ]# ls -al vmca*-rw-r--r-- 1 root root 1703 Mar 20 17:25 vmca_issued_key.key-rw-r--r-- 1 root root 1248 Mar 20 17:25 vmca_issued_csr.csrroot@vcenter67-1 [ /var/tmp/vmware ]# more nsxtmgrvip_issued_csr.csr-----BEGIN CERTIFICATE REQUEST-----MIIDYjCCAkoCAQAwcTELMAkGA1UEAwwCQ0ExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xDzANBgNVBAoMBlZNd2FyZTEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVyaW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5JQ+fr5GQ4WdV5SVvef4p/+AaGSMXTTZwTQjsQP8koIhLdPBLpmTcN8YO2aVDqJgK8e/fDmWMMbj+Lu7I1oOKho/ZBnGhSabQngSE5kB7CYC0ip3wmPni8ryzHBIBm2WFISaM/aPjptBiDxdDbZbpBn2WaeHJV9/Eg/LBZD2vRVPIKCrXc9P3EZScj3QDRu8YQCeh8+jfe5bIaLIMACe491LoMZ8MTKC/mGI17PRLRCIX1XBQzHT63jef4f1YWM2hF1fawbdeWH7P8dcbjZikYaNyDALvDDac4NC+W171m3TlEUEkjY33/x08B2BcN5LACB9gaeIBYnzcgZCWupp+wIDAQABoIGrMIGoBgkqhkiG9w0BCQ4xgZowgZcwdgYDVR0RBG8wbYEQaGFsYW1Adm13YXJlLmNvbYcECh0MlYIVbnN4dG1ncnZpcC5uc3h0LmxvY2FsghJuc3h0bWdyLm5zeHQubG9jYWyCE25zeHRtZ3IyLm5zeHQubG9jYWyCE25zeHRtZ3IzLm5zeHQubG9jYWwwHQYDVR0OBBYEFC3dZqwmBK367VjLBXvIMJtSpEOZMA0GCSqGSIb3DQEBCwUAA4IBAQCt3lvHwgQ9sur1hH/Lw6IJdxYT1SswqWPmBX4MNzGa6oJl6UL0A5RZB4S0ho6NYx9191SZDsnpN87eTobIhdd6jN6ZqlTJlkJ/9k6CcVWms1NXiq/8u/IIFDtfEyEdePkKn+xP5G4p4IFRNgK5BnS2G+aKitAB33JADBGkboO9QVJoWU69tYFxhE5uZTiN1dq2u0nIIEGd+Uh/aSgPe3JxzmZULiV2BcG/SszoTQe5pS0CvG8wfUIW3N+Qhhah0QPxyNQkHVOHuVS8S7GQXhpkTPVCQ7sflBnBuszOk6hFRsHtjP1khSDL/NROVSDeVEdmDllyyESDTrqqHDFeM6AM-----END CERTIFICATE REQUEST-----Now you can take this csr to any CA for signing. Import the signed cert and the vmca_issued_key.key file in NSX Manager to get your complete certificate imported.
Comments