certificate

Howto: Creating a CA template for VMware services

@mpoore

3 min read

Having setup my lab's PKI infrastructure previously, one of the next steps I needed to complete was to create a template for certificates for VMware's products to use as they require certain properties to be present in the certificates used.

There is a KB article that covers this but I wanted to run through it and use some of the specifics for my lab.

Template for VMware SSL Certificates

This template will provide certificates for ESXi hosts, vCenter, vRA, vRO etc. To create it, we first need the Certificate Templates Console. This can be opened by running certtmpl.msc.

Per the KB article, I duplicated the “Web Server” template as a starting point. My first task was to give the template a new name and set the validity to 4 years:

20160256_150269-CapturFiles

On the Extensions tab, although it's possibly not required for vSphere 6 (it is for earlier versions of vSphere), I added “Client Authentication” under the Application Policies option.

20160256_150243-CapturFiles

Again, it may not be universally required but I've added the “Signature is proof of origin” option under Key Usage (also on the Extensions tab.

20160256_150215-CapturFiles

Depending on the use case required, it might be useful to be able to export a certificate's private key. I haven't worked on View for some years but this option came in handy then. It's configured under the Request Handling tab.

20160256_150270-CapturFiles

On the Subject Name tab, ensure that “Supply in the request” is checked.

20160256_150296-CapturFiles

That's it. Just hit OK to save it.

Template for VMware VMCA

If you want to set up the VMCA as a subordinate certificate authority on a vSphere 6 Platform Services Controller, a slightly different type of certificate is required. I don't think that I deviated from the KB article here except with the validity period.

20160256_150295-CapturFiles

20160256_150278-CapturFiles

“Publishing” the certificate templates

This is a fairly straightforward process accomplished using the Certification Authority Manager. Templates are added one at a time by right clicking on “Certificate Templates” and selecting New > Certificate Template to Issue.

20160256_160296-CapturFiles

Once published, the templates are available via the CA's web interface for new requests.

20160256_150246-CapturFiles