vExpert

Deep Dive in to Virtualization & Cloud


Creating Certificate Template for vSphere & vCenter Server

The first step in certificate generation and replacement is setting up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates of VMware SDDC solutions. After you create the new template, you add it to the certificate templates of the Microsoft CA.

Certificate templates are used to define the enrollment policy on the CA. First, an Enterprise CA can only issue certificates based upon the templates it is configured to use.  Second, permissions set on the certificate template’s Active Directory object determine whether a user or computer is permitted to request a certificate based on that template. If a user does not have Enroll permissions on a template, the CA will deny any request submitted by the user for a certificate based on that template.

Certificate templates contain properties that would be common to all certificates issued by the CA based on that template. Windows includes several predefined templates, but Administrators also can create their own templates specific for their enterprise. When requesting a certificate, a client can just specify the template name in the request and the CA will build the certificate based upon the requestor’s information in Active Directory and the properties defined in the template.

Creating a certificate authority template for this VMware Validated Design includes the following operations:

  • Set up a Microsoft Certificate Authority template.

Please visit this link to know how to setup Microsoft Certificate Authority

  • Add the new template to the certificate templates of the Microsoft CA.

Creating Template for vSphere 6.x to use for Machine SSL and Solution User Certificates

Connecting to the CA server, you will be generating the certificates from through an RDP session

Click Start > Run, type certtmpl.msc, and click OK.

In the Certificate Template Console, Right click on Certificate Template and click Manage.

In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Click the General tab, enter display name field as VMware vSphere 6.0 as the name of the new template.

Click the Extensions tab, Select Application Policies and click Edit, Select Server Authentication and click Remove, then OK.

Note:
If Client Authentication exists, remove this from Application Policies as well.

Select Key Usage and click Edit, Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default and click OK.

Click the Subject Name tab, ensure that the Supply in the request option is selected, and click Apply and OK to save the template. Close the Certificate Template Console.

In the Certification Authority window, expand the left pane if it is collapsed. Right-click Certificate Templates and select New > Certificate Template to Issue

Scroll down to your new Template and click OK

We are now ready to use the template for signing vSphere/vCenter certs.

Creating Template for vSphere 6.x to use for VMCA as a Subordinate CA

In the Certificate Template Console, under Template Display Name, right-click Subordinate Certificate Authority and click Duplicate Template.

In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.

Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.

Click the General tab, In the Template display name field, enter VMware vSphere 6.x VMCA as the name of the new template. Also Ensure Publish certificate in Active Directory is selected.

Click the Extensions tab. Select Key Usage and click Edit, ensure that Digital Signature, Certificate signing and CRL signing are enabled also check that Make this extension critical is enabled and Click OK.

Click Apply and OK to save the template. Close the Certificate Template Console

In the Certification Authority window, expand the left pane if it is collapsed. Right-click Certificate Templates and select New > Certificate Template to Issue

Scroll down to your new Template and click OK

We are now ready to use the template for signing VMCA as a Subordinate CA.

For more details and Video please click on below VMware KB

https://kb.vmware.com/s/article/2112009

Thanks,

If you have any comments, please drop me a line.
I hope this article was informative, and don’t forget to buy me a coffee if you found this worth reading.



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.