Sometime you would like to include SAN (Subject Alternative Name) to your certificate. SAN is a specific type of SSL that allows you to secure multiple domains/subdomains with just one SSL.
However VMware tool /usr/lib/vmware-vmca/bin/certificate-manager
have no option to add SANs.
The solution for this is to not use certificate manager from VMware to create CSR, but use req.conf file.
Runlist:
- SSH to your vCenter server
- Create new file named req.conf
- Paste this code:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = your_country
ST = state
L = City
O = Organization
OU = OrgUnit
CN = dns_name.your.domain.com
[v3_req]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns_name.your.domain.com
- Edit only (Do not change anything else!):
- C
- ST
- L
- O
- OU
- CN
- DNS.1
- If you want multiple SANs add more DNS entries after DNS.1
DNS.1 = dns_name.your.domain.com
DNS.2 = dns_name2.your.domain.com
DNS.3 = dns_name3.your.domain.com
- Save the file – name has to be
req.conf
- Run this command to request CSR:
openssl req -new -out request_name.csr -newkey rsa:2048 -nodes -sha256 -keyout request_name.key -config req.conf
How to create a certificate from this CSR please read this article – > https://angrysysops.com/2021/09/09/how-to-renew-certificates-for-vcenter-6-x/
BONUS:
If you need for same reason to convert your certificate to PEM format:
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
Please like and share to spread the knowledge in the community.
Let’s chat on Twitter: https://twitter.com/AngrySysOps
Visit my FB page: https://www.facebook.com/AngrySysOps
Subscribe to my YouTube channel: https://www.youtube.com/channel/UCRTcKGl0neismSRpDMK_M4A