In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.

ssl-20

2: Right Click on Certificate Template and click Manage.

ssl-21

3: Select the Windows Authentication Template and right click on it and select Duplicate Template.

ssl-22

4: Select Windows server 2008 Enterprise and hit OK.

ssl-23

5: Give the new certificate template a name. Also we need to change some of the properties of the new template.

I have changed the validity period to 5 years and selected Publish certificate in AD and Do not automatically reenroll option.

ssl-24

6: Go to Security tab and  change the “Domain Computers” permissions to read and autoenroll the certificate.

ssl-25

7: Go to Extensions Tab and change the Application Policies to include both Client and Server Authentication.

Select Application Policies and click on Edit.

ssl-26

Click on Add button to see list of policy available

ssl-28

From the Add Application Policy list select “Server Authentication” and click OK.

ssl-29

Once Server Authentication policy is added hit OK.

ssl-30

8: Under Subject Name tab, add the UPN checkbox and hit Apply OK.

ssl-31

9: Now again go back to the Certificate Authority MMC.  Right click on the Certificate Template Folder and choose New–> Certificate Template to Issue.

ssl-32

10: Select the certificate template that we have just created and hit OK.

ssl-33

Creating Group Policy

Now to enable computers to automatically grab the certificates which we created and install them as trusted certificates we have to create a group policy.

If you remember during certificate Template creation we have selected  “Autoenroll”. That doesn’t do anything until we configure a GPO to tell the computers to look for these certs.

11: To create a new group policy, go to Run and type “gpedit.msc“. Navigate to Windows Settings > Security Policies > Public Key Policies and select Certificate Services Client-Auto Enrollment and right click to open properties.

ssl-34

12: Under Configuration Model select “Enabled” and select the options Renew expired certificates and update certificates that use certificate template. Click on Apply OK.

ssl-35

13:Now select “Certificate Services Client-Certificate Enrollment Policy” and right click to open properties. Under Configuration Model select Enabled and Checkmark the box in front of Active Directory Enrollment. Hit Apply OK.

ssl-36

Now we have created certificates and selected the appropriate policies. In our next post we will see how to generate signed certificates for use in our vSphere Infrastructure.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Posted in: SSL Certs.
Last Modified: January 12, 2017

0 thoughts on “Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

  1. Pingback: Newsletter: October 31, 2015 | Notes from MWhite

Leave a reply