Signing certs for VMware has always been a pain in the ass, it’s gotten a lot better in v6 but there are a few caveats, what we’re going to do here is set up a certificate template in Active Directory from which we will sign our vCenter certificates.

Load up your AD-CA box and run:


Next right click on Web Server and click Duplicate Template:

Duplicate Template

If you use an encryption level higher than sha1 choose Windows Server 2008 as the Certification Authority.

Certification Authority

Click the General tab and change the name to something significant to you (mine is vSphere 6.0).

Template Name

Then navigate to the Extensions tab and select Application Policies and click Edit, select Server Authentication and click Remove then Ok.

Remove Server Authentication

Select Key Usage and click Edit. Select Signature is proof of origin (nonrepudiation) option and click Ok.

Key Usage Options

Move to the Subject Name tab. Make sure Supply in the request option is selected. Click Ok on both dialogues. It should now show up in your cert templates like so:

vSphere 6.0 Certificate Template

Load up mmc and add the Certificate Authority snap-in.

Navigate to the Certificate Templates folder and right click choose New -> Certificate Template to Issue then select vSphere 6.0.

Add as a certificate template

We are now ready to use the template for signing vCenter certs.

Why not follow @mylesagray on Twitter ↗ for more like this!