Installing the Home Lab – VMware Certificates – Part Two

28th November 2013 0 By Simon

In the first post in this series we installed the Windows 2012 R2 Root Certificate Authority. This, the second in a series of posts details the configuration of the VMware specific Template and the distribution of the Root CA Certificate.

VMware Cert Template Creation

22-11-2013 15-47-26

Launch the CA Console go to Server Manager \ Tools \ Certification Authority

22-11-2013 16-02-45

22-11-2013 16-05-21

Right click Certificate Templates and choose Manage

22-11-2013 16-05-45

22-11-2013 16-06-04

Highlight the Web Server Template and click Duplicate Template

22-11-2013 16-06-41

Leave the Compatibility Settings as Windows 2003

22-11-2013 16-10-02

Click on General and enter the name of your new template in the Template display name box and check your Validity period (I increased mine to 5 years, up from 2 years).

22-11-2013 16-10-20

Click on Extensions and edit the Key Usage extension

22-11-2013 16-10-36

Tick the two boxes high lighted above then click OK

22-11-2013 16-11-17

Click on the Application Policies

22-11-2013 16-11-29

Click Add

22-11-2013 16-11-47

Click the Client Authentication policy then click OK

22-11-2013 16-12-17

Click OK

22-11-2013 16-16-45

Click the Request Handling tab and tick the Allow private key to be exported box. Click OK

22-11-2013 17-01-36

Close the Template Console down

26-11-2013 12-02-22

Untitled

Right click on Certificate Templates and click New and then Certificate Template to Issue

26-11-2013 12-39-57

Scroll down to your new Template and click OK

26-11-2013 12-40-34

You now have the VMware Certs template present in your list of Certificate Templates.

Root Certificate Distribution

Now that we have created the VMware Cert template we need to make sure that the Root CA certificate is distributed correctly. As we have used the Enterprise Root CA on our Domain Controller, the root authority’s certificate will automatically be placed in all users Trusted Root Certification Authorities certificate store. This means the distribution of the Root CA cert is taken care of by AD for all Domain joined devices.

26-11-2013 11-52-54

To confirm that you have the correct certificates present open up certmgr.msc from a Windows OS and browse to the Trusted Root Certification Authorities tab, in the screenshot above you can see that there are two self-signed certificates for My-HomeLab in the certificates folder. If you run certmgr.msc and don’t see any new certificates present you may have to wait a period of time and refresh the view (I had a couple of servers online, one which got the updated certs quickly, the other one took a while longer).

If you haven’t installed an Enterprise Root CA or it doesn’t have the AD credentials needed to distribute the certificate then you’re going to have to use Group Policy to distribute your freshly minted Root certificate.

26-11-2013 12-02-22

26-11-2013 11-59-59

Click View Certificate

26-11-2013 12-00-40

28-11-2013 23-11-50

Click the Copy to File box to start the Certificate Export Wizard

28-11-2013 23-13-15

Click Next

28-11-2013 23-13-31

Select Base-64 encoded X.509 (.CER)

28-11-2013 23-14-24

Choose your file location and name and press Next

28-11-2013 23-14-39

Click Finish

28-11-2013 23-14-58

Click OK

28-11-2013 23-21-18

Run the Group Policy Management Console (gpmc.msc)

28-11-2013 23-22-27

Navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Trusted Root Certification Authorities and right click

28-11-2013 23-22-58

Click Import

28-11-2013 23-23-40

Click Next

28-11-2013 23-24-06

Browse to the location you saved the Root CA certificate earlier and click Next

28-11-2013 23-24-21

Click Next

28-11-2013 23-24-35

Click Finish

28-11-2013 23-24-49

Click OK

28-11-2013 23-24-54

You now have your certificates being distributed by Group Policy, if you want you can either wait for GPO to be updated automatically (the group policy refresh is 90 minutes with a +\- of 0 to 30 minutes) or force an update with gpupdate

Once the policy has been refreshed you should see your Root certificate in the Trusted Root Certification Authorities list.