Missing SAN information in CSR - invalid certificate

Hello Tom,

I’m sorry to see it is not gathering SAN information.

Since this is a fresh install I may recommend redownloading to make sure the first one did not have any corruption and Try the process again.

Then check the steps Page 24  Generate a Certificate Signing Request (CSR)

https://dl.dell.com/topicspdf/openmanage-integration-vmware-vcenter-v52_users-guide_en-us.pdf?dgc=SM&cid=243905&lid=spr4118626320&linkId=104124382

This may also be helpful or you may already know this information:  https://geekflare.com/san-ssl-certificate/?linkId=104124383

Please let me know how it goes.

In the documentation on page 2 there is a sentence that doesn't make sense to me:

"Before registering an OMIVV to a vCenter, ensure that you upload the CSR."

Where can I upload a CSR to the appliance and why to do this? It would only make sense If generating my own CSR with OpenSSL and the try to upload the certificate from my own trusted company CA.

But generating my own CSR with OpenSSL does not make sense because the OMI-appliance doesn't know the CSR and refuses to install the certificate from my company CA.

Hello Tom,

So it doesn't support SAN in the CSR. Someone submitted a feature request back in 5.0 and it was picked up for a future release. Waiting on when that is expected. It requires CSR so SAN is not an option.

Upload HTTPS certificate Page: 24  https://dl.dell.com/topicspdf/openmanage-integration-vmware-vcenter-v52_users-guide_en-us.pdf

1. On the APPLIANCE MANAGEMENT page, click Upload Certificate in the HTTPS CERTIFICATES area.

2. Click OK in the UPLOAD CERTIFICATE dialog box.

3. To upload the certificate, click Browse, and then click Upload.

To check the status, go to Event Console of vSphere Client of registered vCenters

Hello Charles,

once again: you can not upload a certificate if you generate the CSR with OpenSSL (and not with the OMI-appliance). The appliance refuses the certificate when it's done with OpenSSL - you can not upload the certificate!

You get the following error:

Failed to import certificate provided.The key generated with the CSR does not match the certificate uploaded. Please regenerate the CSR and try again.

Installing a certificate with private key PKCS#12 (PFX) doesn't work either!

So for me, the Appliance is unusable because I don't have a valid SAN certificate and the connection to my vCenter is not trusted. Uploading a 

we live in year 2020 and OMI is not able to generate a CSR with SAN information. SAN is mandatory since chrome version 57 (may 2017). The RFC2818  says since may 2000 (!!!) that the use of the common name (CN) is deprecated and SAN MUST be used as identitiy.

Tom,

OMIVV 5.2 should be able to support SAN in the certifications.  If you see version 5.2.0.2287 as the "Current Virtual Appliance Version" in the OMIVV administration portal under "Appliance Management," you can test this by clicking on "Generate Certificate Signing Request" under HTTPS Certificates.

If your own certificates are not working, I'd ask that you contact ProSupport and get a case open.  They hopefully can help you sort out what is happening, or they can get the issue escalated to development if there is an issue in the certificate handling.

@Tom.Herling  Did you ever get a resolution to this?

I am having exactly the same issue with OMIVV 5.2.0.2287.

The OMIVV create CSR "wizard" seems to ignore anything I put in the SAN field.

I find most vendors completely fail when it comes to replacing their self-signed certificates for custom/PKI signed ones. If there was an option to import an externally generated PKCS#12 (PFX) with the private key and the signed certificate chain, my life would be simple!

I don't think I can open a support case as I am evaluating the product.

Cheers,

M

Hello,

as suggested by Damon, if you have issue with certificate you have to contact technical support in order to escalate the issue. Just provide the reference of the product you own and we can give you support on that.

Please let me know if i can help you more.
Thanks

Marco

@DELL-Marco B 

Can I open a support case if I am just evaluating OMIVV?

Thanks

M

Hello,

When I was on the phone support team, we offered support, if the appliance was installed on a hardware system with a warranty. I believe there are specific offerings for just the appliance alone, but you should be able to get some assistance, if you have a warranty for the host.

Hello @Dell-DylanJ

I am evaluating this in my home lab environment at the moment and my Dell kit, whilst supported with OMIVV,  does not have any current warranty; so it looks like I am stuck.

I am frustrated that Dell, as a multi billion $ market leading tech company, cannot get a handle on simple certificate operations within its products. The need to use the SAN name instead of the Common Name has been a requirement since Chrome 58 (March 2017).

M

Unfortunately for an out of warranty system you need to pay a fee to receive support from Dell.

I'm sorry and I understand your frustration and I take your complaint to escalate it internally.

Please let me know how can help you further.

Thanks

Marco

Thanks @DELL-Marco B 

Zero chance of me paying for support to "fix" this issue when 1) they most likely will have to wait for the developers to write/test it and 2) it should never exist in well designed, developed & tested software in the first place.

Cheers,

M

ok so I will escalate internally to see if some expert will give us a more complete answer about this behavior.

I will keep you up to date.

Thanks
Marco

Hello,

thanks for your feedback.

Marco