This section is based on VMWare KB article (2062108).it provides information on manually configuring a new Certificate Authority (CA) template based on the Web Server template located in the Certificate Authority Root or Subordinate server for use with SSL certificate implementation in vSphere 5.x.
In this section we have two task to perform
1) Creating a new default template
2) Adding a new template to certificate templates
1-Creating a new default template
- Connect to the “Root CA server” or Subordinate CA server via “RDP”.
Note: Connect to the CA server in which you are intending to perform your certificate generation.
- Click Start > Run, type “certtmpl.msc”, and click OK. The Certificate Template Console opens
- In the middle pane, under Template Display Name, locate “Web Server”.
- Right-click Web Server and click Duplicate Template.
- In the Duplicate Template window, select “Windows Server 2003 Enterprise” for backward compatibility. Click “Ok”
- Click the “General tab”. In the Template display name field, enter “VMware Certificate” as the name of the new template
- Click the “Extensions tab”. Select “Key Usage” and click “Edit”.
- Select the “Signature is proof of origin (nonrepudiation)” option. Select the “Allow encryption of user data” option. Click “OK”.
- Select “Application Policies” and click “Edit”.
- Click “Add”. Select “Client Authentication”. Click “OK”.
- Click “OK “again
- Click the “Subject Name” tab, Ensure that the “Supply in the request” option is selected.
- Click “OK” to save the template. Now see your “VMware certificate in certificate template”.
2-Adding a new template to certificate templates
To add a new template to certificate templates:
- Click Start > Run, type “certsrv.msc”, and click “OK”. The Certificate Server console opens.
- In the left pane, if collapsed, expand the node by clicking the “[+]” icon
- Right-click Certificate Templates and click “New” > Certificate Template to Issue.
- Locate “VMware Certificate” under the Name column. Click “OK”
- Verify “VMWare Certificate” is now added into your CA certificate templates
NOTE:A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.