top of page
Writer's pictureHammad Alam

Using vCenter Appliance to create Certificate CSR with (Subject Alternate Names) SANs in LABs

NSX Manager does not allow you to create CSR with SAN (Subject Alternate Names). These types of certs are useful when you want same cert to be used to server different URL host names. I use vCenter Server Appliance as a quick and handy tool to generate CSRs which are then signed by a lab CA (Microsoft AD based).


SSH to vCenter server and run

/usr/lib/vmware-vmca/bin/certificate-manager
root@vcenter67-1 [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@nsxt.local
Enter password:
         1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

         2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 1

Please provide a directory location to write the CSR(s) and PrivateKey(s) to:
Output directory path: /var/tmp/vmware/

Please configure certool.cfg with proper values before proceeding to next step.

Press Enter key to skip optional parameters or use Default value.

Enter proper value for 'Country' [Default value : US] :

Enter proper value for 'Name' [Default value : CA] :

Enter proper value for 'Organization' [Default value : VMware] :

Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :

Enter proper value for 'State' [Default value : California] :

Enter proper value for 'Locality' [Default value : Palo Alto] :

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.29.12.149

Enter proper value for 'Email' [Default value : email@acme.com] : halam@vmware.com

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : nsxtmgrvip.nsxt.local,nsxtmgr.nsxt.local,nsxtmgr2.nsxt.local,nsxtmgr3.nsxt.local

Enter proper value for VMCA 'Name' :nsxtmgrvip
2019-03-20T21:25:05.743Z  Running command: ['/usr/lib/vmware-vmca/bin/certool', '--genkey', '--privkey', '/var/tmp/vmware/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub']
2019-03-20T21:25:07.201Z  Done running command
2019-03-20T21:25:07.202Z  Running command: ['/usr/lib/vmware-vmca/bin/certool', '--gencsr', '--privkey', '/var/tmp/vmware/vmca_issued_key.key', '--pubkey', '/tmp/pubkey.pub', '--config', '/var/tmp/vmware/certool.cfg', '--csrfile', '/var/tmp/vmware/vmca_issued_csr.csr']
2019-03-20T21:25:07.811Z  Done running command

CSR generated at: /var/tmp/vmware/vmca_issued_csr.csr
         1. Continue to importing Custom certificate(s) and key(s) for Machine SSL certificate

         2. Exit certificate-manager

Option [1 or 2]: 2
root@vcenter67-1 [ ~ ]# cd /var/tmp/vmware/
root@vcenter67-1 [ /var/tmp/vmware ]# ls -al vmca*
-rw-r--r-- 1 root root 1703 Mar 20 17:25 vmca_issued_key.key
-rw-r--r-- 1 root root 1248 Mar 20 17:25 vmca_issued_csr.csr

root@vcenter67-1 [ /var/tmp/vmware ]# more nsxtmgrvip_issued_csr.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDYjCCAkoCAQAwcTELMAkGA1UEAwwCQ0ExCzAJBgNVBAYTAlVTMRMwEQYDVQQI
DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xDzANBgNVBAoMBlZNd2Fy
ZTEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVyaW5nMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA5JQ+fr5GQ4WdV5SVvef4p/+AaGSMXTTZwTQjsQP8koIh
LdPBLpmTcN8YO2aVDqJgK8e/fDmWMMbj+Lu7I1oOKho/ZBnGhSabQngSE5kB7CYC
0ip3wmPni8ryzHBIBm2WFISaM/aPjptBiDxdDbZbpBn2WaeHJV9/Eg/LBZD2vRVP
IKCrXc9P3EZScj3QDRu8YQCeh8+jfe5bIaLIMACe491LoMZ8MTKC/mGI17PRLRCI
X1XBQzHT63jef4f1YWM2hF1fawbdeWH7P8dcbjZikYaNyDALvDDac4NC+W171m3T
lEUEkjY33/x08B2BcN5LACB9gaeIBYnzcgZCWupp+wIDAQABoIGrMIGoBgkqhkiG
9w0BCQ4xgZowgZcwdgYDVR0RBG8wbYEQaGFsYW1Adm13YXJlLmNvbYcECh0MlYIV
bnN4dG1ncnZpcC5uc3h0LmxvY2FsghJuc3h0bWdyLm5zeHQubG9jYWyCE25zeHRt
Z3IyLm5zeHQubG9jYWyCE25zeHRtZ3IzLm5zeHQubG9jYWwwHQYDVR0OBBYEFC3d
ZqwmBK367VjLBXvIMJtSpEOZMA0GCSqGSIb3DQEBCwUAA4IBAQCt3lvHwgQ9sur1
hH/Lw6IJdxYT1SswqWPmBX4MNzGa6oJl6UL0A5RZB4S0ho6NYx9191SZDsnpN87e
TobIhdd6jN6ZqlTJlkJ/9k6CcVWms1NXiq/8u/IIFDtfEyEdePkKn+xP5G4p4IFR
NgK5BnS2G+aKitAB33JADBGkboO9QVJoWU69tYFxhE5uZTiN1dq2u0nIIEGd+Uh/
aSgPe3JxzmZULiV2BcG/SszoTQe5pS0CvG8wfUIW3N+Qhhah0QPxyNQkHVOHuVS8
S7GQXhpkTPVCQ7sflBnBuszOk6hFRsHtjP1khSDL/NROVSDeVEdmDllyyESDTrqq
HDFeM6AM
-----END CERTIFICATE REQUEST-----

Now you can take this csr to any CA for signing. Import the signed cert and the vmca_issued_key.key file in NSX Manager to get your complete certificate imported.





0 views0 comments

Recent Posts

See All

Comments


bottom of page