vSphere 6.0’s certtool forgets template.cfg to create CSR

I was trying to generate a CSR. We decided to put the PSC as a subordinate CA in our environment. There are already a few good posts on the net which explain how to do this, so I followed the steps and started editing the


this should be the template which will be used by Certool to create a CSR.

Let’s start certtool, like mentioned in the most internet posts, Choose 2 … Choose 1 create new cert, put it on a CSR checker fails. Strange let’s see…..huh company VMware, Location US. Strange this wasn’t in my template file, looks like it didn’t us it.

After a little search I found


Hah so this is a known issue, tought I did something wrong, so I followed the steps in the document, created/copied the CFG I already created.


certool --initcsr --privkey=priv.key --pubkey=pub.key --csrfile=csr.csr --config=certool_acme.cfg


Well this worked perfect, while letting our PKI sign the certificate we couldn’t properly import the certificate. When troubleshooting this we noticed that our PKI administrator used some wrong templates which made the SubCA we requested an end entity CSR.


After some mailing we suddenly received a properly signed certificate which was a SubCA signed one.

After following the original documentation guides we could easily install the certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.