The certool initialization commands allow you to generate certificate signing requests, view and generate certificates and keys that are signed by VMware Certificate Authority (VMCA), import root certificates, and perform other certificate management operations.
In many cases, you pass a configuration file in to a certool command. See Changing the certool Configuration Options. See Replace Existing VMCA-Signed Certificates with New VMCA-Signed Certificates Using the CLI for some usage examples. The command-line help provides details about the options.
certool --initcsr
Generates a Certificate Signing Request (CSR). The command generates a PKCS10 file and a private key.
Option | Description |
---|---|
--gencsr | Required for generating CSRs. |
--privkey <key_file> | Name of the private key file. |
--pubkey <key_file> | Name of the public key file. |
--csrfile <csr_file> | File name for the CSR file to be sent to the CA provider. |
--config <config_file> |
Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields. |
certool --gencsr --privkey=<filename> --pubkey=<filename> --csrfile=<filename>
certool --selfca
Creates a self-signed certificate and provisions the VMCA server with a self-signed root CA. Using this option is one of the simplest ways to provision the VMCA server. You can instead provision the VMCA server with a third-party root certificate so that VMCA is an intermediate CA. See Make VMCA Into an Intermediate Certificate Authority Using the CLI.
This command generates a certificate that is predated by three days to avoid time zone conflicts.
Option | Description |
---|---|
--selfca | Required for generating a self-signed certificate. |
--predate <number_of_minutes> | Allows you to set the Valid Not Before field of the root certificate to the specified number of minutes before the current time. This option can be helpful to account for potential time zone issues. The maximum is three days. |
--config <config_file> |
Name of the configuration file. A sample configuration file is located at /usr/lib/vmware-vmca/share/config/certool.cfg. As a best practice, make a copy of the default configuration file and replace the required fields. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
machine-70-59:/usr/lib/vmware-vmca/bin # ./certool --predate=2280 --selfca --server= 192.0.2.24 --srp-upn=administrator@vsphere.local
certool --rootca
Imports a root certificate. Adds the specified certificate and private key to VMCA. VMCA always uses the most recent root certificate for signing, but other root certificates remain trusted until you manually delete them. That means you can update your infrastructure one step at a time, and finally delete certificates that you no longer use.
Option | Description |
---|---|
--rootca | Required for importing a root CA. |
--cert <certfile> |
Name of the certificate file. |
--privkey <key_file> | Name of the private key file. This file must be in PEM encoded format. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --rootca --cert=root.cert --privkey=privatekey.pem
certool --getdc
Returns the default domain name that is used by vmdir.
Option | Description |
---|---|
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
--port <port_num> |
Optional port number. Defaults to port 389. |
certool --getdc
certool --waitVMDIR
Wait until the VMware Directory Service is running or until the timeout specified by --wait has elapsed. Use this option along with other options to schedule certain tasks, for example returning the default domain name.
Option | Description |
---|---|
--wait | Optional number of minutes to wait. Defaults to 3. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
--port <port_num> |
Optional port number. Defaults to port 389. |
certool --waitVMDIR --wait 5
certool --waitVMCA
Wait until the VMCA service is running or until the specified timeout has elapsed. Use this option in conjunction with other options to schedule certain tasks, for example, generating a certificate.
Option | Description |
---|---|
--wait | Optional number of minutes to wait. Defaults to 3. |
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
--port <port_num> |
Optional port number. Defaults to port 389. |
certool --waitVMCA --selfca
certool --publish-roots
Forces an update of root certificates. This command requires administrative privileges.
Option | Description |
---|---|
--server <server> |
Optional name of the VMCA server. By default, the command uses localhost. |
certool --publish-roots