I'm attempting to make VMWare's certificate authority (VMCA) v6.7 a trusted sub-CA of a FreeIPA certificate authority. I should be able to generate a certificate signing request within VMCA using either an interactive tool (certificate-manager) or by using VMWare's certool and a config file (certool.cfg).
Of course, interactive tools have their appeal. The tool asks questions. Some answers are required:
Press Enter key to skip optional parameters or use Previous value.
Enter proper value for 'Country' [Previous value : US] :
Enter proper value for 'Name' [Previous value : vcenter.int.demarcohome.com] :
Enter proper value for 'Organization' [Previous value : DeMarco Home] :
Enter proper value for 'OrgUnit' [Previous value : none] :
Enter proper value for 'State' [Previous value : North Carolina] :
Enter proper value for 'Locality' [Previous value : Raleigh] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] :
Enter proper value for 'Email' [Previous value : [email protected]] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcenter.int.demarcohome.com
Enter proper value for VMCA 'Name' : vcenter
Within FreeIPA, when I attempt to sign this CSR, the request is not signed, with error #3009:
invalid 'csr': subject alt name type RFC822Name is forbidden for non-user principals
Decoding the CSR (https://www.sslshopper.com/csr-decoder.html) tells me it includes subject alternate names (SANs):
email:[email protected],
IP Address:10.71.73.8
vcenter.int.demarcohome.com
The error 'Name is forbidden for non-user principals' makes some sense to me, but not enough to point me in the right direction. Do I need to format my CSR differently by answering the questions differently, or am I going about the process of creating a subordinate CA incorrectly within FreeIPA?
The most common names used as Subject Alternative Name (SAN) in an X.509 v3 certificate extension are 'DNSName' and 'RFC822Name'. The name 'RFC822Name' is usually an email address while 'DNSName' is a hostname.
The error "'invalid 'csr': subject alt name type RFC822Name is forbidden for non-user principals'" says it all. You can't use a SAN with name type 'RFC822Name' when you request a certificate for a non-user principal.
It seems you are trying to create a certificate for a certificate authority (CA). In this case you used the wrong certificate profile to create the certificate signing request (CSR). I would recommend to talk to your PKI administrators and explain them that you want to create CSR for a CA and ask them which profile to use. Different types of certificates require different profiles because of the different extensions used in the certificates.
You can find more information about how to make VMCA a intermediate CA here:
https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-886C7657-3C2D-4AAC-8525-D5700CA58FCD.html
And here you see the requirements for the CSR to make VMCA a intermediate CA:
https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-75008746-C902-4C42-8F5C-6602D6E4EC8B.html#GUID-75008746-C902-4C42-8F5C-6602D6E4EC8B
The simplest solution to this problem is to update the template so that it is not asking for the email address.
The base template is here:
/usr/lib/vmware-vmca/share/config/certool.cfgIf you have already run the tool, the system uses the copy in:
/var/tmp/vmware/certool.cfgYou can change the file to look like:
This will create a CSR that can be signed by IPA and used by vcenter.