You create a Microsoft Certificate Authority Template to contain the certificate authority (CA) attributes for signing certificates for the management products in the Consolidated SDDC.
About this task
This VMware Validated Design sets the CA up on both Active Directory (AD) servers: the main domain dc01rpl.rainpole.local (root CA) and the subdomain dc01sfo.sfo01.rainpole.local (the intermediate CA).
Creating a certificate authority template for this VMware Validated Design includes the following operations:
Set up a Microsoft Certificate Authority template.
Add the new template to the certificate templates of the Microsoft CA.
Verify that you installed Microsoft Server 2012 R2 VMs with Active Directory Domain Services enabled.
Verify that the Certificate Authority Service role and the Certificate Authority Web Enrolment role is installed and configured on both Active Directory Server.
Verify that dc01sfo.sfo01.rainpole.local has been set up to be the intermediate CA of the root CA dc01rpl.rainpole.local.
Use a hashing algorithm of SHA-2 or higher on the certificate authority.
- Log in to the following AD server by using a Remote Desktop Protocol (RDP) client.
If you use the intermediate CA, connect to dc01sfo.sfo01.rainpole.local.
If you use only the root CA, connect dc01rpl.rainpole.local.
Active Directory administrator
- Click Windows OK. , enter certtmpl.msc, and click
- In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
- In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK.
- In the Properties of New Template dialog box, click the General tab.
- In the Template display name text box, enter VMware as the name of the new template.
- Click the Extensions tab and specify extensions information:
- Select Application Policies and click Edit.
- Select Server Authentication, click Remove, and click OK.
- Select Key Usage and click Edit.
- Select the Signature is proof of origin (nonrepudiation) check box.
- Leave the default for all other options.
- Click OK.
- Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
- To add the new template to your CA, click Windows OK. , enter certsrv.msc, and click
- In the Certification Authority window, expand the left pane if it is collapsed.
- Right-click Certificate Templates and select .
- In the Enable Certificate Templates dialog box, select the VMware certificate that you just created in the Name column and click OK.