Fix CSR commonname or set VMCA to Custom Certificate Authority

This post was originally published on this site

I am maintaining a few ESXi hosts not connected to vCenter. Some of those are native 6.5 installations while others have been upgraded from 6.0 to 6.5.


Upgrading to 6.5 build 16576891 apparently broke the certificates on hosts that originally ran 6.0. /etc/vmware/ssl/castore.pem was zapped, i.e. had 0 bytes after the upgrade which caused a few problems like sfcbd not starting. I fixed that by running /sbin/generate-certificates and restarting sfcbd-watchdog and rhttpproxy. While that seems to have restored all services, the web UI CSR generation now uses the hosts IPv4 address as CSR commonname. Asking for the hostname in an SSH session reveals the correct name I would like to see in the CSR request.


That again, and the fact that the web UI is now HSTS-enabled, causes the issue that browsers (rightfully) complain about an insecure connection to the web UI. Specifically Firefox will not even allow an exception.


I am seeking your advice on the best way to fix this. I am happy to either fix the setting that causes the IPv4-based commonname or set the VMCA mode to Custom Certificate Authority and replace rui.key and rui.crt myself. Concerning the latter I was only able to find instructions on how to set it Through vCenter unfortunately.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.