Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended to configure least privilege access to the Microsoft Active Directory Certificate Services using an Active Directory user account as a restricted service account.

Prerequisites

  • Create a user account in Active Directory with Domain Users membership. For example, svc-vcf-ca.

Procedure

  1. Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.

    FQDN

    Active Directory Host

    User

    Active Directory administrator

    Password

    ad_admin_password

  2. Configure least privilege access for a user account on the Microsoft Certificate Authority.
    1. Click Start > Run, enter certsrv.msc, and click OK.
    2. Right-click the certificate authority server and click Properties.
    3. Click the Security tab, and click Add.
    4. Enter the name of the user account and click OK.
    5. In the Permissions for .... section configure the permissions and click OK.

      Setting

      Value (Allow)

      Read

      Deselected

      Issue and Manage Certificates

      Selected

      Manage CA

      Deselected

      Request Certificates

      Selected

  3. Configure least privilege access for the user account on the Microsoft Certificate Authority Template.
    1. Click Start > Run, enter certtmpl.msc, and click OK.
    2. Right-click the VMware template and click Properties.
    3. Click the Security tab, and click Add.
    4. Enter the svc-vcf-ca service account and click OK.
    5. In the Permissions for .... section configure the permissions and click OK.

      Setting

      Value (Allow)

      Full Control

      Deselected

      Read

      Selected

      Write

      Deselected

      Enroll

      Selected

      Autoenroll

      Deselected