Before you can generate and install certificates, you must configure a certificate authority (CA).
- Verify that the Microsoft Certificate Authority Server has the correct roles installed. See Install Microsoft Certificate Authority Roles.
- Verify the Microsoft Certificate Authority Server has been configured for basic authentication. See Configure the Microsoft Certificate Authority for Basic Authentication.
- Verify a valid certificate template has been configured on the Microsoft Certificate Authority. See Create and Add a Microsoft Certificate Authority Template.
- Verify least privileged service account has been configured on the Microsoft Certificate Authority Server and Template. See Assign Certificate Management Privileges to the SDDC Manager Service Account.
- Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC Manager appliance. Each system can be configured with a different timezone, but it is recommended that they receive their time from the same NTP source.
Note: If the CA Web server and CA are on different machines, you must perform the steps mentioned in https://blogs.technet.microsoft.com/askds/2009/04/22/how-to-configure-the-windows-server-2008-ca-web-enrollment-proxy/ in addition to the following steps.
- Navigate to to open the Configure Certificate Authority page.
- Click Edit and complete the following configuration settings.
Option Description Certificate Authority Select the CA from the drop-down menu. The default is Microsoft. CA Server URL Specify the URL for the CA address server. This address must begin with https:// and end with certsrv, for example https://www.mymicrosoftca.com/certsrv Username Provide a valid user name to enable access to the address server. Password Provide a valid password to enable access to the address server. Template Name Enter the certsrv template name. You must create this template in Microsoft Certificate Authority.
- Click Save.
A dialog box appears, asking you to review and confirm the CA server certificate details.
- Click Accept to complete the configuration.
The Microsoft CA is now available for use in generating and installing a certificate.