In the first post in this series we installed the Windows 2012 R2 Root Certificate Authority. This, the second in a series of posts details the configuration of the VMware specific Template and the distribution of the Root CA Certificate.
VMware Cert Template Creation
Launch the CA Console go to Server Manager \ Tools \ Certification Authority
Right click Certificate Templates and choose Manage
Highlight the Web Server Template and click Duplicate Template
Leave the Compatibility Settings as Windows 2003
Click on General and enter the name of your new template in the Template display name box and check your Validity period (I increased mine to 5 years, up from 2 years).
Click on Extensions and edit the Key Usage extension
Tick the two boxes high lighted above then click OK
Click on the Application Policies
Click the Client Authentication policy then click OK
Click the Request Handling tab and tick the Allow private key to be exported box. Click OK
Close the Template Console down
Right click on Certificate Templates and click New and then Certificate Template to Issue
Scroll down to your new Template and click OK
You now have the VMware Certs template present in your list of Certificate Templates.
Root Certificate Distribution
Now that we have created the VMware Cert template we need to make sure that the Root CA certificate is distributed correctly. As we have used the Enterprise Root CA on our Domain Controller, the root authority’s certificate will automatically be placed in all users Trusted Root Certification Authorities certificate store. This means the distribution of the Root CA cert is taken care of by AD for all Domain joined devices.
To confirm that you have the correct certificates present open up certmgr.msc from a Windows OS and browse to the Trusted Root Certification Authorities tab, in the screenshot above you can see that there are two self-signed certificates for My-HomeLab in the certificates folder. If you run certmgr.msc and don’t see any new certificates present you may have to wait a period of time and refresh the view (I had a couple of servers online, one which got the updated certs quickly, the other one took a while longer).
If you haven’t installed an Enterprise Root CA or it doesn’t have the AD credentials needed to distribute the certificate then you’re going to have to use Group Policy to distribute your freshly minted Root certificate.
Click View Certificate
Click the Copy to File box to start the Certificate Export Wizard
Select Base-64 encoded X.509 (.CER)
Choose your file location and name and press Next
Run the Group Policy Management Console (gpmc.msc)
Navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Trusted Root Certification Authorities and right click
Browse to the location you saved the Root CA certificate earlier and click Next
You now have your certificates being distributed by Group Policy, if you want you can either wait for GPO to be updated automatically (the group policy refresh is 90 minutes with a +\- of 0 to 30 minutes) or force an update with gpupdate
Once the policy has been refreshed you should see your Root certificate in the Trusted Root Certification Authorities list.