{"id":196,"date":"2022-07-27T16:16:00","date_gmt":"2022-07-27T14:16:00","guid":{"rendered":"https:\/\/zerobotics.de\/blog\/?p=196"},"modified":"2023-07-17T16:32:09","modified_gmt":"2023-07-17T14:32:09","slug":"creating-a-microsoft-ca-template-for-vsphere-6-x-7-x","status":"publish","type":"post","link":"https:\/\/zerobotics.de\/blog\/en\/creating-a-microsoft-ca-template-for-vsphere-6-x-7-x\/","title":{"rendered":"Creating a Microsoft CA Template for vSphere 6.x\/7.x"},"content":{"rendered":"Reading Time<\/span> 2<\/span> Minutes<\/span><\/span>\n

In order to be able to create uniform certificates that are signed by a Microsoft CA in our lab environment in a meaningful and \u201eVMware compliant\u201c way, it was necessary to create a Certificate Template in advance.<\/p>\n\n\n\n

The following instructions are based on the VMware KB article Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x\/7.x<\/a><\/p>\n\n\n\n\n\n\n\n

The first step takes place in the \u201eCertificate Templates\u201c MMC snap-in. To do this, ideally start mmc.exe<\/code><\/strong> on the Windows CA server via RDP and add the Certificate Templates<\/strong><\/code> snap-in.<\/p>\n\n\n\n

\"\"
MMC Snap-In for Certificate Templates<\/figcaption><\/figure>\n\n\n\n

Duplicate the Web Server Template:<\/p>\n\n\n\n

\"\"
Duplicate Web Server Template<\/figcaption><\/figure>\n\n\n\n

Now the Properties window opens and we have to adjust some settings.<\/p>\n\n\n\n

Set the compatibility to Windows 7 \/ Windows 2008 R2. Theoretically, it also works with a higher version, but this increases the schema version. This in turn means that it is no longer available for selection in the Web Enrollment Interface, as templates are only displayed up to schema version 2. The underlying reasons are unclear to me, but that\u2019s the only way it worked.<\/p>\n\n\n\n

\"\"
Compatibilty set to Win 2008 R2 \/ Win 7<\/figcaption><\/figure>\n\n\n\n

Set Display\/Template Name under General<\/code><\/strong> as desired, in my case \u201eVMware\u201c:<\/p>\n\n\n\n

\"\"
Set Template Name to VMware<\/figcaption><\/figure>\n\n\n\n

Under Extensions >> Applications Policies >> Edit<\/code><\/strong>, then select Server Authentication >> Remove<\/code><\/strong><\/p>\n\n\n\n

\"\"
Server Authentication must be removed<\/figcaption><\/figure>\n\n\n\n

Next, under Extensions >> Basic Constraints >> Edit<\/code><\/strong>, tick Enable this extension<\/strong><\/code>:<\/p>\n\n\n\n

\"\"
Basic Constraints \u2013 Enable this extension<\/figcaption><\/figure>\n\n\n\n

Also under Extensions >> Key Usage >> Edit<\/code><\/strong>, tick Signature is proof of origin<\/code><\/strong>:<\/p>\n\n\n\n

\"\"
Key Usage \u2013 activate Signature is proof of origin<\/figcaption><\/figure>\n\n\n\n

Under Subject Name<\/code><\/strong>, ensure that Supply in request<\/code><\/strong> is active:<\/p>\n\n\n\n

\"\"
Subject Name \u2013 Supply in the request<\/figcaption><\/figure>\n\n\n\n

We are now through with the settings and confirm with OK.<\/p>\n\n\n\n

Finally, the template must be added to the other templates in the Certification Authority Snap-In by right-clicking on Certificate Templates >> New >> Certificate Template to issue<\/code><\/strong>.<\/p>\n\n\n\n

\"\"
Certificate Template to issue<\/figcaption><\/figure>\n\n\n\n

The next steps for me are to use the template for all my Lab certificate signings. I documented a first example with VMware NSX ALB in a blog article.<\/p>\n","protected":false},"excerpt":{"rendered":"

Reading Time<\/span> 2<\/span> Minutes<\/span><\/span>In order to be able to create uniform certificates that are signed by a Microsoft CA in our lab environment in a meaningful and „VMware compliant“ way, it was necessary to create a Certificate Template in advance. The following instructions are based on the VMware KB article Creating a Microsoft Certificate Authority Template for SSL […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-196","post","type-post","status-publish","format-standard","hentry","category-vmware-en"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t