FreeIPA refuses to sign a VMWare certificate signing request (CSR)

certificate x509 vmware-vcenter freeipa

I'm attempting to make VMWare's certificate authority (VMCA) v6.7 a trusted sub-CA of a FreeIPA certificate authority. I should be able to generate a certificate signing request within VMCA using either an interactive tool (certificate-manager) or by using VMWare's certool and a config file (certool.cfg).

Of course, interactive tools have their appeal. The tool asks questions. Some answers are required:

Press Enter key to skip optional parameters or use Previous value.

Enter proper value for 'Country' [Previous value : US] : 

Enter proper value for 'Name' [Previous value : vcenter.int.demarcohome.com] : 

Enter proper value for 'Organization' [Previous value : DeMarco Home] : 

Enter proper value for 'OrgUnit' [Previous value : none] : 

Enter proper value for 'State' [Previous value : North Carolina] : 

Enter proper value for 'Locality' [Previous value : Raleigh] : 

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 

Enter proper value for 'Email' [Previous value : [email protected]] : 

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcenter.int.demarcohome.com

Enter proper value for VMCA 'Name' : vcenter

Within FreeIPA, when I attempt to sign this CSR, the request is not signed, with error #3009:

invalid 'csr': subject alt name type RFC822Name is forbidden for non-user principals

Decoding the CSR (https://www.sslshopper.com/csr-decoder.html) tells me it includes subject alternate names (SANs):

email:[email protected],
IP Address:10.71.73.8
vcenter.int.demarcohome.com

The error 'Name is forbidden for non-user principals' makes some sense to me, but not enough to point me in the right direction. Do I need to format my CSR differently by answering the questions differently, or am I going about the process of creating a subordinate CA incorrectly within FreeIPA?


The most common names used as Subject Alternative Name (SAN) in an X.509 v3 certificate extension are 'DNSName' and 'RFC822Name'. The name 'RFC822Name' is usually an email address while 'DNSName' is a hostname.

The error "'invalid 'csr': subject alt name type RFC822Name is forbidden for non-user principals'" says it all. You can't use a SAN with name type 'RFC822Name' when you request a certificate for a non-user principal.

It seems you are trying to create a certificate for a certificate authority (CA). In this case you used the wrong certificate profile to create the certificate signing request (CSR). I would recommend to talk to your PKI administrators and explain them that you want to create CSR for a CA and ask them which profile to use. Different types of certificates require different profiles because of the different extensions used in the certificates.

You can find more information about how to make VMCA a intermediate CA here:

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-886C7657-3C2D-4AAC-8525-D5700CA58FCD.html

And here you see the requirements for the CSR to make VMCA a intermediate CA:

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-75008746-C902-4C42-8F5C-6602D6E4EC8B.html#GUID-75008746-C902-4C42-8F5C-6602D6E4EC8B

Related

Using meta database backend to combine active directory db and openldap local db
On windows server core, how can I copy file located in my local computer to the windows server?
Error 54046 occurred at disk power-on lifetime
-bash: apt-get: command not found
How to add missing property to AdminSDHolder
How do I enable the wireless network adapter on centos 7 minimal install?
xCAT OS image for CentOS 8
SSSD - start LDAP-search with logging-in user
SLURM with "partial" head node
atop 2.4.0 time interval
Windows 10 / Chrome: HTTP browser request to IP address differs from same request to hostname
ssh port forwarding (tunneling in HPC)