Generating a Certificate Signing Request that incl...

techsupport0921 · ‎05-04-2017

Hi All,

I was able to successfully make my vmca a subordinate signing authority. The problem is that my root CA uses a 4096bit key and sha512. When it minted the cert for the vmca the key is 2096 and the hash algorithm is sha256. How do I change the request from the vmca to include a longer key and tighter algorithm? I used certificate-manager on the vsphere appliance to do this.

Thanks!

vfk · ‎05-05-2017

The certificate-manager uses openssl to generate the csr request, you should be able to change/update the certool.cfg with the appropriate required parameter.

How to use vSphere 6.x Certificate Manager (2097936) | VMware KB

--- If you found this or any other answer helpful, please consider the use of the Helpful or Correct buttons to award points. vfk Systems Manager / Technical Architect VCP5-DCV, VCAP5-DCA, vExpert, ITILv3, CCNA, MCP

techsupport0921 · ‎05-09-2017

Thanks for the reply vfk.

I've searched the syntax parameters for the certool.cfg file and there is no documentation showing how to specify key length or hash algorithm within the certool.cfg file. The only parameters I could find refer to local information and hostname.

I will also need to update the csrs coming from the ESX hosts to ensure that they are requesting certificates that are 4096 bit and sha512 as well.

Any ideas of syntax?

Thanks

techsupport0921 · ‎05-09-2017

I've also modified the parameters within /etc/ssl/openssl.cnf but when I run certiifcate-manager and create the csr the key length and algorithm remain at 2048 and sha256

NelsonCandela · ‎08-11-2017

Any update on this?

I have the same problem and thus the same question :smileyplain:

All

Generating a Certificate Signing Request that includes longer key length and tighter hash algorithm on vsphere appliance