Signing certs for VMware has always been a pain in the ass, it’s gotten a lot better in v6 but there are a few caveats, what we’re going to do here is set up a certificate template in Active Directory from which we will sign our vCenter certificates.
Load up your
AD-CA box and run:
Next right click on
Web Server and click
If you use an encryption level higher than
Windows Server 2008 as the Certification Authority.
General tab and change the name to something significant to you (mine is
Then navigate to the
Extensions tab and select
Application Policies and click Edit, select
Server Authentication and click Remove then Ok.
Key Usage and click Edit. Select Signature is proof of origin (nonrepudiation) option and click Ok.
Move to the
Subject Name tab. Make sure Supply in the request option is selected. Click Ok on both dialogues. It should now show up in your cert templates like so:
mmc and add the
Certificate Authority snap-in.
Navigate to the
Certificate Templates folder and right click choose
New -> Certificate Template to Issue then select vSphere 6.0.
We are now ready to use the template for signing vCenter certs.