In order to be able to create uniform certificates that are signed by a Microsoft CA in our lab environment in a meaningful and “VMware compliant” way, it was necessary to create a Certificate Template in advance.
The following instructions are based on the VMware KB article Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x
The first step takes place in the “Certificate Templates” MMC snap-in. To do this, ideally start
mmc.exe on the Windows CA server via RDP and add the
Certificate Templates snap-in.
Duplicate the Web Server Template:
Now the Properties window opens and we have to adjust some settings.
Set the compatibility to Windows 7 / Windows 2008 R2. Theoretically, it also works with a higher version, but this increases the schema version. This in turn means that it is no longer available for selection in the Web Enrollment Interface, as templates are only displayed up to schema version 2. The underlying reasons are unclear to me, but that’s the only way it worked.
Set Display/Template Name under
General as desired, in my case “VMware”:
Extensions >> Applications Policies >> Edit, then select
Server Authentication >> Remove
Extensions >> Basic Constraints >> Edit, tick
Enable this extension:
Extensions >> Key Usage >> Edit, tick
Signature is proof of origin:
Subject Name, ensure that
Supply in request is active:
We are now through with the settings and confirm with OK.
Finally, the template must be added to the other templates in the Certification Authority Snap-In by right-clicking on
Certificate Templates >> New >> Certificate Template to issue.
The next steps for me are to use the template for all my Lab certificate signings. I documented a first example with VMware NSX ALB in a blog article.