Creating the VMware SSL Cert Template

In the first post in this series we installed the Windows 2012 R2 Root Certificate Authority. This, the second in a series of posts details the configuration of the VMware specific Template and the distribution of the Root CA Certificate.

VMware Cert Template Creation

22-11-2013-15-47-26_thumb1

Launch the CA Console go to Server Manager \ Tools \ Certification Authority

22-11-2013-16-02-45_thumb1

22-11-2013-16-05-21_thumb5

Right click Certificate Templates and choose Manage

22-11-2013-16-05-45_thumb1

22-11-2013-16-06-04_thumb3

Highlight the Web Server Template and click Duplicate Template

22-11-2013-16-06-41_thumb2

Leave the Compatibility Settings as Windows 2003

22-11-2013-16-10-02_thumb1

Click on General and enter the name of your new template in the Template display name box and check your Validity period (I increased mine to 5 years, up from 2 years).

22-11-2013-16-10-20_thumb1

Click on Extensions and edit the Key Usage extension

22-11-2013-16-10-36_thumb6

Tick the two boxes high lighted above then click OK

22-11-2013-16-11-17_thumb3

Click on the Application Policies

22-11-2013-16-11-29_thumb2

Click Add

22-11-2013-16-11-47_thumb3

Click the Client Authentication policy then click OK

22-11-2013-16-12-17_thumb1

Click OK

22-11-2013-16-16-45_thumb3

Click the Request Handling tab and tick the Allow private key to be exported box. Click OK

22-11-2013-17-01-36_thumb1

Close the Template Console down

26-11-2013-12-02-22_thumb1

Untitled_thumb1

Right click on Certificate Templates and click New and then Certificate Template to Issue

26-11-2013-12-39-57_thumb3

Scroll down to your new Template and click OK

26-11-2013-12-40-34_thumb1

You now have the VMware Certs template present in your list of Certificate Templates.

Root Certificate Distribution

Now that we have created the VMware Cert template we need to make sure that the Root CA certificate is distributed correctly. As we have used the Enterprise Root CA on our Domain Controller, the root authority’s certificate will automatically be placed in all users Trusted Root Certification Authorities certificate store. This means the distribution of the Root CA cert is taken care of by AD for all Domain joined devices.

26-11-2013-11-52-54_thumb1

To confirm that you have the correct certificates present open up certmgr.msc from a Windows OS and browse to the Trusted Root Certification Authorities tab, in the screenshot above you can see that there are two self-signed certificates for My-HomeLab in the certificates folder. If you run certmgr.msc and don’t see any new certificates present you may have to wait a period of time and refresh the view (I had a couple of servers online, one which got the updated certs quickly, the other one took a while longer).

If you haven’t installed an Enterprise Root CA or it doesn’t have the AD credentials needed to distribute the certificate then you’re going to have to use Group Policy to distribute your freshly minted Root certificate.

26-11-2013-12-02-22_thumb3

26-11-2013-11-59-59_thumb5

Click View Certificate

26-11-2013-12-00-40_thumb7

28-11-2013-23-11-50_thumb3

Click the Copy to File box to start the Certificate Export Wizard

28-11-2013-23-13-15_thumb3

Click Next

28-11-2013-23-13-31_thumb1

Select Base-64 encoded X.509 (.CER)

28-11-2013-23-14-24_thumb1

Choose your file location and name and press Next

28-11-2013-23-14-39_thumb1

Click Finish

28-11-2013-23-14-58_thumb2

Click OK

28-11-2013-23-21-18_thumb2

Run the Group Policy Management Console (gpmc.msc)

28-11-2013-23-22-27_thumb2

Navigate to Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Trusted Root Certification Authorities and right click

28-11-2013-23-22-58_thumb2

Click Import

28-11-2013-23-23-40_thumb3

Click Next

28-11-2013-23-24-06_thumb2

Browse to the location you saved the Root CA certificate earlier and click Next

28-11-2013-23-24-21_thumb2

Click Next

28-11-2013-23-24-35_thumb2

Click Finish

28-11-2013-23-24-49_thumb1

Click OK

28-11-2013-23-24-54_thumb2

You now have your certificates being distributed by Group Policy, if you want you can either wait for GPO to be updated automatically (the group policy refresh is 90 minutes with a +\- of 0 to 30 minutes) or force an update with gpupdate

Once the policy has been refreshed you should see your Root certificate in the Trusted Root Certification Authorities list.

Leave a Reply

Your email address will not be published. Required fields are marked *