When you run certool --gencert or certain other certificate initialization or management commands, the command reads all the values from a configuration file. You can edit the existing file, override the default configuration file with the -–config=<file name> option, or override values on the command line.

The configuration file, certool.cfg, is located in the /usr/lib/vmware-vmca/share/config/ directory by default.

The file has several fields with the following default values:

Country = US
Name= Acme
Organization = AcmeOrg
OrgUnit = AcmeOrg Engineering
State = California 
Locality = Palo Alto
IPAddress = 127.0.0.1	
Email = [email protected]
Hostname = server.acme.com
Note: As of vSphere 7.0 Update 3o, the OU (organizationalUnitName) field is no longer mandatory.
You can change the values by specifying a modified file on the command line, or by overriding individual values on the command line, as follows.
  • Create a copy of the configuration file and edit the file. Use the --config command-line option to specify the file. Specify the full path to avoid path name issues.
  • /usr/lib/vmware-vmca/bin/certool -–gencert --config /tmp/myconfig.cfg
  • Override individual values on the command line. For example, to override Locality, run this command:
    /usr/lib/vmware-vmca/bin/certool -–gencert -–privkey=private.key –-Locality="Mountain View" 
Specify --Name to replace the CN field of the Subject name of the certificate.
  • For solution user certificates, the name is <sol_user name>@<domain> by convention, but you can change the name if a different convention is used in your environment.
  • For machine SSL certificates, the FQDN of the machine is used.

    VMCA allows only one DNSName (in the Hostname field) and no other Alias options. If the IP address is specified by the user, it is stored in SubAltName as well.

Use the --Hostname parameter to specify the DNSName of a certificate's SubAltName.