Signing certs for VMware has always been a pain in the ass, it’s gotten a lot better in v6 but there are a few caveats, what we’re going to do here is set up a certificate template in Active Directory from which we will sign our vCenter certificates.
Load up your AD-CA box and run:
certtmpl.msc
Next right click on Web Server and click Duplicate Template:
If you use an encryption level higher than sha1 choose Windows Server 2008 as the Certification Authority.
Click the General tab and change the name to something significant to you (mine is vSphere 6.0).
Then navigate to the Extensions tab and select Application Policies and click Edit, select Server Authentication and click Remove then Ok.
Select Key Usage and click Edit. Select Signature is proof of origin (nonrepudiation) option and click Ok.
Move to the Subject Name tab. Make sure Supply in the request option is selected. Click Ok on both dialogues. It should now show up in your cert templates like so:
Load up mmc and add the Certificate Authority snap-in.
Navigate to the Certificate Templates folder and right click choose New -> Certificate Template to Issue then select vSphere 6.0.
We are now ready to use the template for signing vCenter certs.
Leave a Reply