As a part of the certificate replacement process, you submit Certificate Signing Requests (CSRs) to the intermediate Certificate Authority (CA) server. You then replace the VMCA-signed or self-signed certificates with CA-signed certificates. 

About this task

This VMware Validated Design uses a Microsoft Certificate Authority server, however other Certificate Authorities can also be used. 

  • The first step is setting up a Microsoft Certificate Authority template through a Remote Desktop Protocol session. 

  • After you have created the new template, you it to the certificate templates of the Microsoft Certificate Authority. 


This VMware Validated Design sets up the CA on the Active Directory (AD) server dc01sfo.sfo01.rainpole.local, which is running Microsoft Windows Server 2012 R2. 

  • Verify that you installed Microsoft Server 2012 R2 with Active Directory Services enabled.

  • Verify that your AD Server is installed and configured with the Certificate Authority Service role and the Certificate Authority Web Enrolment role.

If a different Microsoft CA already exists in your environment, you can use that CA instead. 


  1. Use Remote Desktop Protocol to connect to the CA server dc01sfo.sfo01.rainpole.local as the AD administrator with the ad_admin_password password.
  2. Click Start > Run, type certtmpl.msc, and click OK
  3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
  4. In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK
  5. In the Properties of New Template dialog box, click the General tab.
  6. In the Template display name text box, enter VMware as the name of the new template.
  7. Click the Extensions tab and specify extensions information:
    1. Select Application Policies and click Edit.
    2. Select Server Authentication, click Remove, and click OK.
    3. Select Key Usage and click Edit.
    4. Click the Signature is proof of origin (nonrepudiation) check box.
    5. Leave the default for all other options.
    6. Click OK.
  8. Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
  9. To add the new template to your CA, click Start > Run, type certsrv.msc, and click OK.
  10. In the Certification Authority window, expand the left pane if it is collapsed. 
  11. Right-click Certificate Templates and select New > Certificate Template to Issue.
  12. In the Enable Certificate Templates dialog box, in the Name column, select the VMware certificate that you just created and click OK.