Web Server and Client Authentication Data Encipherment and Client Authentication Data Encipherment is the most common used template used for creating certs from a Microsoft Certification Authority for vSphere . However, they do not have nonrepudiation (Signature is proof of origin), Data Encipherment and Client Authentication enabled. As per VMware recommendations (vSphere 5.x and above requires Data Encipherment on CA certificates).
Here is a step by Step by step guide to create a new template for vSphere certs
On your Certification Authority server Start -> certtmpl.msc. This opens the Certificate Template Console.
- Select “Web Server” in “Certificate Templates Console” right click and choose “Duplicate Template“
- “Properties of New Template” window opens select Windows Server 2003 Enterprise for backward compatibility if you have SHA1 as encryption algorithm else choose Windows Server 2008 Enterprise
- Click General Tab and change the template display name to VMware SSL or a name of your choice.
- Click on Extensions tab select Application Policies -> Edit
- On “Edit Application Policy Extension” click “Add” Select “Client Authentication” from the list, click OK
- Select “Key Usage” click on edit check the “Signature is proof of origin (nonrepudiation)” option. Leave all other options as default.
- Click “Subject name” Tab ensure “Supply in the request” is selected
- Click ok and save the template.
Making the template available to be published
- Open certsrv.msc click on certificate templates this will list the templates available to be published. Right click on Certificate Templates -> New -> Certificate Template to Issue
- Select VMware SSL Template which we created and click ok
This template would be used for creating vSphere Machine or Solution user certs. We will be using this template in future blog posts to replace certs on vSphere environment
Reference VMware KB
Note: The user may need IIS_USRS permissions to generate certificates.