In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.

2: Right Click on Certificate Template and click Manage.

3: Select the Windows Authentication Template and right click on it and select Duplicate Template.

4: Select Windows server 2008 Enterprise and hit OK.

5: Give the new certificate template a name. Also we need to change some of the properties of the new template.

I have changed the validity period to 5 years and selected Publish certificate in AD and Do not automatically reenroll option.

6: Go to Security tab and  change the “Domain Computers” permissions to read and autoenroll the certificate.

7: Go to Extensions Tab and change the Application Policies to include both Client and Server Authentication.

Select Application Policies and click on Edit.

Click on Add button to see list of policy available

From the Add Application Policy list select “Server Authentication” and click OK.

Once Server Authentication policy is added hit OK.

8: Under Subject Name tab, add the UPN checkbox and hit Apply OK.

9: Now again go back to the Certificate Authority MMC.  Right click on the Certificate Template Folder and choose New–> Certificate Template to Issue.

10: Select the certificate template that we have just created and hit OK.

 

Creating Group Policy

Now to enable computers to automatically grab the certificates which we created and install them as trusted certificates we have to create a group policy.

If you remember during certificate Template creation we have selected  “Autoenroll”. That doesn’t do anything until we configure a GPO to tell the computers to look for these certs.

11: To create a new group policy, go to Run and type “gpedit.msc“. Navigate to Windows Settings > Security Policies > Public Key Policies and select Certificate Services Client-Auto Enrollment and right click to open properties.

12: Under Configuration Model select “Enabled” and select the options Renew expired certificates and update certificates that use certificate template. Click on Apply OK.

13:Now select “Certificate Services Client-Certificate Enrollment Policy” and right click to open properties. Under Configuration Model select Enabled and Checkmark the box in front of Active Directory Enrollment. Hit Apply OK.

Now we have created certificates and selected the appropriate policies. In our next post we will see how to generate signed certificates for use in our vSphere Infrastructure.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂