Creating a Microsoft CA Template for vSphere 6.x/7.x

In order to be able to create uniform certificates that are signed by a Microsoft CA in our lab environment in a meaningful and “VMware compliant” way, it was necessary to create a Certificate Template in advance.

The following instructions are based on the VMware KB article Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x

The first step takes place in the “Certificate Templates” MMC snap-in. To do this, ideally start mmc.exe on the Windows CA server via RDP and add the Certificate Templates snap-in.

MMC Snap-In for Certificate Templates

Duplicate the Web Server Template:

Duplicate Web Server Template

Now the Properties window opens and we have to adjust some settings.

Set the compatibility to Windows 7 / Windows 2008 R2. Theoretically, it also works with a higher version, but this increases the schema version. This in turn means that it is no longer available for selection in the Web Enrollment Interface, as templates are only displayed up to schema version 2. The underlying reasons are unclear to me, but that’s the only way it worked.

Compatibilty set to Win 2008 R2 / Win 7

Set Display/Template Name under General as desired, in my case “VMware”:

Set Template Name to VMware

Under Extensions >> Applications Policies >> Edit, then select Server Authentication >> Remove

Server Authentication must be removed

Next, under Extensions >> Basic Constraints >> Edit, tick Enable this extension:

Basic Constraints – Enable this extension

Also under Extensions >> Key Usage >> Edit, tick Signature is proof of origin:

Key Usage – activate Signature is proof of origin

Under Subject Name, ensure that Supply in request is active:

Subject Name – Supply in the request

We are now through with the settings and confirm with OK.

Finally, the template must be added to the other templates in the Certification Authority Snap-In by right-clicking on Certificate Templates >> New >> Certificate Template to issue.

Certificate Template to issue

The next steps for me are to use the template for all my Lab certificate signings. I documented a first example with VMware NSX ALB in a blog article.

Leave a Reply

Your email address will not be published. Required fields are marked *