Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

By | 23/10/2015

In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.

ssl-20

2: Right Click on Certificate Template and click Manage.

ssl-21

3: Select the Windows Authentication Template and right click on it and select Duplicate Template.

ssl-22

4: Select Windows server 2008 Enterprise and hit OK.

ssl-23

5: Give the new certificate template a name. Also we need to change some of the properties of the new template.

I have changed the validity period to 5 years and selected Publish certificate in AD and Do not automatically reenroll option.

ssl-24

6: Go to Security tab and  change the “Domain Computers” permissions to read and autoenroll the certificate.

ssl-25

7: Go to Extensions Tab and change the Application Policies to include both Client and Server Authentication.

Select Application Policies and click on Edit.

ssl-26

Click on Add button to see list of policy available

ssl-28

From the Add Application Policy list select “Server Authentication” and click OK.

ssl-29

Once Server Authentication policy is added hit OK.

ssl-30

8: Under Subject Name tab, add the UPN checkbox and hit Apply OK.

ssl-31

9: Now again go back to the Certificate Authority MMC.  Right click on the Certificate Template Folder and choose New–> Certificate Template to Issue.

ssl-32

10: Select the certificate template that we have just created and hit OK.

ssl-33

 

Creating Group Policy

Now to enable computers to automatically grab the certificates which we created and install them as trusted certificates we have to create a group policy.

If you remember during certificate Template creation we have selected  “Autoenroll”. That doesn’t do anything until we configure a GPO to tell the computers to look for these certs.

11: To create a new group policy, go to Run and type “gpedit.msc“. Navigate to Windows Settings > Security Policies > Public Key Policies and select Certificate Services Client-Auto Enrollment and right click to open properties.

ssl-34

12: Under Configuration Model select “Enabled” and select the options Renew expired certificates and update certificates that use certificate template. Click on Apply OK.

ssl-35

13:Now select “Certificate Services Client-Certificate Enrollment Policy” and right click to open properties. Under Configuration Model select Enabled and Checkmark the box in front of Active Directory Enrollment. Hit Apply OK.

ssl-36

Now we have created certificates and selected the appropriate policies. In our next post we will see how to generate signed certificates for use in our vSphere Infrastructure.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂

Category: SSL Certs

About Alex Hunt

Hi All I am Manish Jha. I am currently working in OVH US as Operations Support Engineer (vCloud Air Operations). I have around 7 Years of IT experience and have exposure on VMware vSphere, vCloud Director,vSphere Replication, vRealize Automation, NSX and RHEL. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.

0 thoughts on “Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

  1. Pingback: Newsletter: October 31, 2015 | Notes from MWhite