Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere
search cancel

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

book

Article ID: 315271

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article details the configuration of Microsoft Certificate Authority (CA) templates necessary for implementing custom SSL certificates within a vSphere environment.

Environment

  • VMware vCenter Server 8.x

Resolution

The process involves creating and making available two custom Microsoft CA templates: one for Machine SSL and Solution User certificates, and one for VMCA as a Subordinate CA.

Create Template for Machine SSL and Solution User Certificates

This template is for certificates used by vSphere components like the Machine SSL certificate and Solution User certificates.

  1. Connect to the CA server via RDP.
  2. Open the Certificate Template Console by clicking Start > Run, typing certtmpl.msc, and clicking OK.
  3. Right-click the Web Server template and select Duplicate Template.
  4. In the Duplicate Template window, select Windows 7 / Server 2008 R2 Enterprise for broad compatibility.
    • Note: If a higher encryption level than SHA1 is required, select Windows Server 2012 Enterprise.
  5. Go to the General tab and enter vSphere 8.x in the Template display name field.
  6. Go to the Extensions tab.
  7. Select Application Policies and click Edit.
    • Select Server Authentication and click Remove, then OK.
    • Note: If Client Authentication is present, remove it as well.
  8. Select Basic Constraints and click Edit.
  9. Select the Enable this extension check box and click OK.
  10. Select Key Usage and click Edit.
  11. Select Signature is proof of origin (non repudiation). Keep other settings at their default.
  12. Click OK.
  13. Go to the Subject Name tab.
  14. Ensure the Supply in the request option is selected.
  15. Click OK to save the template.
  16. Next, make the template available for issuance by following the steps in Adding a new template to certificate templates.

Create Template for VMCA as a Subordinate CA

This template is used when configuring VMCA to act as a Subordinate CA to your Microsoft CA.

  1. Connect to the CA server via RDP.
  2. Open the Certificate Template Console by clicking Start > Run, typing certtmpl.msc, and clicking OK.
  3. Right-click the Subordinate Certificate Authority template and select Duplicate Template.
  4. In the Duplicate Template window, select Windows 7 / Server 2008 R2 Enterprise for broad compatibility.
    • Note: If a higher encryption level than SHA1 is required, select Windows Server 2012 Enterprise.
  5. Go to the General tab and enter vSphere 8.x VMCA in the Template display name field.
  6. Ensure Publish certificate in Active Directory is selected.
  7. Go to the Extensions tab.
  8. Select Basic Constraints and click Edit.
  9. Select the Enable this extension check box and click OK.
  10. Select Key Usage and click Edit.
  11. Ensure the following options are enabled: Digital Signature, Certificate signing, and CRL signing.
  12. Ensure Make this extension critical is enabled.
  13. Click OK.
  14. Click OK to save the template.
  15. Next, make the template available for issuance by following the steps in Adding a new template to certificate templates.

Adding a new template to certificate templates

  1. Connect to the CA server via RDP.
  2. Open the Certification Authority console by clicking Start > Run, typing certsrv.msc, and clicking OK.
  3. In the left pane, expand the CA node (click the + icon if collapsed).
  4. Right-click Certificate Templates and select New > Certificate Template to Issue.
  5. Locate and select both vSphere 8.x and vSphere 8.x VMCA under the Name column.
  6. Click OK

Additional Information

Powered by Wolken Software