In order to be able to create uniform certificates that are signed by a Microsoft CA in our lab environment in a meaningful and “VMware compliant” way, it was necessary to create a Certificate Template in advance.
The following instructions are based on the VMware KB article Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x
The first step takes place in the “Certificate Templates” MMC snap-in. To do this, ideally start mmc.exe on the Windows CA server via RDP and add the Certificate Templates snap-in.
Duplicate the Web Server Template:
Now the Properties window opens and we have to adjust some settings.
Set the compatibility to Windows 7 / Windows 2008 R2. Theoretically, it also works with a higher version, but this increases the schema version. This in turn means that it is no longer available for selection in the Web Enrollment Interface, as templates are only displayed up to schema version 2. The underlying reasons are unclear to me, but that’s the only way it worked.
Set Display/Template Name under General as desired, in my case “VMware”:
Under Extensions >> Applications Policies >> Edit, then select Server Authentication >> Remove
Next, under Extensions >> Basic Constraints >> Edit, tick Enable this extension:
Also under Extensions >> Key Usage >> Edit, tick Signature is proof of origin:
Under Subject Name, ensure that Supply in request is active:
We are now through with the settings and confirm with OK.
Finally, the template must be added to the other templates in the Certification Authority Snap-In by right-clicking on Certificate Templates >> New >> Certificate Template to issue.
The next steps for me are to use the template for all my Lab certificate signings. I documented a first example with VMware NSX ALB in a blog article.