Creating a sub CA for VMware VMCA - error: not a CA cert

[tfboy]

In the past, I've used MS certificate services to generate certificates for use with VMware without issues.
I'm now trying with EJBCA and I'm having some issues.
Basically, despite creating a profile stating that certificates delivered are of a sub CA type and not an end entity, VMware is refusing these as they do not include the CA:true value.
I've tried generating a certificate with a CSR which requests the CA:true value, but still no luck.
I posted on VMware's communities, but thought I'd ask here in case someone can see an obvious mistake I'm making. Below follows a copy/paste.

vCenter version 7.0.3.01500

I'm trying to replace the VMCA root certificate with one issues by my PKI, making vCenter a subordinate CA so it can issue certificates to hosts.

The issue I'm having I believe is to do with a compatibility issue between my PKI - EJBCA and the VMware tools.

I recall doing this a long time ago with a Microsoft certificate services and had some teething issues, but not this, so I think it's something that's specific to the EJBCA PKI.

But I don't see why. I have tried both using a PKI-supplied private key and cert and also tried generating a CSR from the VCSA and the result is the same :

You are going to replace Root Certificate with custom certificate and regenerate all other certificates
Continue operation : Option[Y/N] ? : y
Status : 0% Completed [Replacing Root Cert...]
Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
Error Code : 70011
Error Message : Not a CA Cert

Status : 0% Completed [Operation failed, performing automatic rollback]

Here's a screenshot of the settings of the profile I've made to generate the certificate, I enabled all the options but still it's not working :

Can anyone see an obvious mistake on my part? Or should it be OK and it's an issue with VMware?
Thanks!

[primetomas]

Using a SubCA certificate profile to issue certificate for a SubCA is correct. The one in the screenshot is messed up though, with all key usages and such. Revert to default settings. Looks like you perhaps created a new profile from scratch? There is a fixed SUBCA profile thart you can clone to get a good start.

What you may have missed is to set that certificate profile to be used from your End Entity Profile. And then use that End Entity Profile, and the Sub CA Certificate Profile, when issuing the certificate. But you can inspect the certificate (perhaps 'openssl x509 -in cert.pem -text') to see what the issued certificate looks like.

From the message though, it looks like it expects a Root CA certificate to be uploaded, not a Sub CA certificate. I don't know how VCenter works though, so that workflow I'm not familiar with.

If VCenter should be a SubCA it needs a private key as well, does VCenter give you a CSR from it's Sub CA?

[tfboy]

Thanks @primetomas . I found the issue: I had the path length constraint set to 0 (you can see it in the screenshot above) so I guess despite requesting a CA type of certificate, it wasn't providing it. I set the contraint to 1 and tried again and now it's OK. I've also removed all those extra permissions so it's tidy and is accepted by VMware. :)