Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x
(2062108)
Configuration SSL Cert
Purpose
This article provides information on manually configuring a new Certificate Authority (CA) template based on the Web Server template located in the Certificate Authority Root or Subordinate server for use with SSL certificate implementation in VMware vSphere 5.x.
By default, the Certificate Authority role in Windows Server 2008 and later do not include Data Encipherment, Nonrepudiation, or Client Authentication on the Web Server template. vSphere 5.0 requires the use of Nonrepudiation and Client Authentication on the generated CA certificates; vSphere 5.1 and 5.5 require Data Encipherment on the generated CA certificates.
Resolution
Creating a new default template
To create a new default template:
Connect to the Root CA server or Subordinate CA server through RDP.
Note: Connect to the CA server in which you are intending to perform your certificate generation.
Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
In the middle pane, under Template Display Name, locate Web Server.
Right-click Web Server and click Duplicate Template.
In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
Click the General tab.
In the Template display name field, enter VMware Certificate as the name of the new template.
Click the Extensions tab.
Select Key Usage and click Edit.
Select the Signature is proof of origin (nonrepudiation) option.
Select the Allow encryption of user data option.
Click OK.
Select Application Policies and click Edit.
Click Add.
Select Client Authentication.
Note: You may need to provide a name to proceed to step 16.
Click OK.
Click OK again.
Click the Subject Name tab.
Ensure that the Supply in the request option is selected.
Click OK to save the template.
Adding a new template to certificate templates
To add a new template to certificate templates:
Connect to the Root CA server or Subordinate CA server through RDP.
Note: Connect to the CA server in which you are intending to perform your certificate generation.
Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
In the left pane, if collapsed, expand the node by clicking the [+] icon.
Right-click Certificate Templates and click New > Certificate Template to Issue.
Locate VMware Certificate under the Name column.
Click OK.
A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate
(2062108)
Configuration SSL Cert
Purpose
This article provides information on manually configuring a new Certificate Authority (CA) template based on the Web Server template located in the Certificate Authority Root or Subordinate server for use with SSL certificate implementation in VMware vSphere 5.x.
By default, the Certificate Authority role in Windows Server 2008 and later do not include Data Encipherment, Nonrepudiation, or Client Authentication on the Web Server template. vSphere 5.0 requires the use of Nonrepudiation and Client Authentication on the generated CA certificates; vSphere 5.1 and 5.5 require Data Encipherment on the generated CA certificates.
Resolution
Creating a new default template
To create a new default template:
Connect to the Root CA server or Subordinate CA server through RDP.
Note: Connect to the CA server in which you are intending to perform your certificate generation.
Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
In the middle pane, under Template Display Name, locate Web Server.
Right-click Web Server and click Duplicate Template.
In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
Click the General tab.
In the Template display name field, enter VMware Certificate as the name of the new template.
Click the Extensions tab.
Select Key Usage and click Edit.
Select the Signature is proof of origin (nonrepudiation) option.
Select the Allow encryption of user data option.
Click OK.
Select Application Policies and click Edit.
Click Add.
Select Client Authentication.
Note: You may need to provide a name to proceed to step 16.
Click OK.
Click OK again.
Click the Subject Name tab.
Ensure that the Supply in the request option is selected.
Click OK to save the template.
Adding a new template to certificate templates
To add a new template to certificate templates:
Connect to the Root CA server or Subordinate CA server through RDP.
Note: Connect to the CA server in which you are intending to perform your certificate generation.
Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
In the left pane, if collapsed, expand the node by clicking the [+] icon.
Right-click Certificate Templates and click New > Certificate Template to Issue.
Locate VMware Certificate under the Name column.
Click OK.
A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate
No comments:
Post a Comment