Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x
search cancel

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x

book

Article ID: 315271

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides information on configuring Microsoft Certificate Authority (CA) templates for use with custom SSL certificate implementation in vSphere 6.x and 7.x

For more information:

Environment

VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.5.x

Resolution

Process to create a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6:

Configuring Microsoft CA templates for SSL Certificate Implementation:

Creating a new template for vSphere 6.x to use for Machine SSL and Solution User certificates

  1. Connecting to the CA server, you will be generating the certificates from through an RDP session.
  2. Click Start > Run, type certtmpl.msc, and click OK.
  3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
  4. In the Duplicate Template window, select Windows 7 / Server 2008 R2 Enterprise for backward compatibility.
Note: If you have an encryption level higher than SHA1, select Windows Server 2012 Enterprise.

  1. Click the General tab.
  2. In the Template display name field, enter vSphere 6.x as the name of the new template.
  3. Click the Extensions tab.
  4. Select Application Policies and click Edit.
  5. Select Server Authentication and click Remove, then OK.

    Note: If Client Authentication exists, remove this from Application Policies as well.
     
  6. Click Basic Constraints and click Edit.
  7. Click the Enable this extension check box and click OK.
  8. Select Key Usage and click Edit.
  9. Select the Signature is proof of origin (non repudiation) option. Leave all other options as default.
  10. Click OK.
  11. Click the Subject Name tab.
  12. Ensure that the Supply in the request option is selected.
  13. Click OK to save the template.
  14. Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.

Creating a new template for vSphere 6.x to use for VMCA as a Subordinate CA

  1. Connecting to the CA server, you will be generating the certificates from through an RDP session.
  2. Click Start > Run, type certtmpl.msc, and click OK.
  3. In the Certificate Template Console, under Template Display Name, right-click Subordinate Certificate Authority and click Duplicate Template.
  4. In the Duplicate Template window, select Windows 7 / Server 2008 R2 Enterprise for backward compatibility.
Note: If you have an encryption level higher than SHA1, select Windows Server 2012 Enterprise.

  1. Click the General tab.
  2. In the Template display name field, enter vSphere 6.x VMCA as the name of the new template.
  3. Ensure Publish certificate in Active Directory is selected.
  4. Click the Extensions tab.
  5. Click Basic Constraints and click Edit.
  6. Click the Enable this extension check box and click OK.
  7. Select Key Usage and click Edit.
  8. Ensure that Digital Signature, Certificate signing and CRL signing are enabled.
  9. Ensure that Make this extension critical is enabled.
  10. Click OK.
  11. Click OK to save the template.
  12. Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.

Adding a new template to certificate templates

  1. Connecting to the CA server, you will be generating the certificates from through an RDP session.
  2. Click Start > Run, type certsrv.msc, and click OK.
  3. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.
  4. Right-click Certificate Templates and click New > Certificate Template to Issue.
  5. Locate vSphere 6.x or vSphere 6.x VMCA under the Name column.
  6. Click OK.