You create a Microsoft Certificate Authority Template to contain the certificate authority (CA) attributes for signing certificates for the management products in the Consolidated SDDC.

About this task

This VMware Validated Design sets the CA up on both Active Directory (AD) servers: the main domain dc01rpl.rainpole.local (root CA) and the subdomain dc01sfo.sfo01.rainpole.local (the intermediate CA).

Creating a certificate authority template for this VMware Validated Design includes the following operations:

  1. Set up a Microsoft Certificate Authority template. 

  2. Add the new template to the certificate templates of the Microsoft CA. 

Prerequisites

  • Verify that you installed Microsoft Server 2012 R2 VMs with Active Directory Domain Services enabled.

  • Verify that the Certificate Authority Service role and the Certificate Authority Web Enrolment role is installed and configured on both Active Directory Server.

  • Verify that dc01sfo.sfo01.rainpole.local has been set up to be the intermediate CA of the root CA dc01rpl.rainpole.local.

  • Use a hashing algorithm of SHA-2 or higher on the certificate authority.

Procedure

  1. Log in to the following AD server by using a Remote Desktop Protocol (RDP) client.

    Setting

    Value

    FQDN

    • If you use the intermediate CA, connect to dc01sfo.sfo01.rainpole.local.

    • If you use only the root CA, connect dc01rpl.rainpole.local.

    User name

    Active Directory administrator

    Password

    ad_admin_password

  2. Click Windows Start > Run, enter certtmpl.msc, and click OK
  3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
  4. In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK
  5. In the Properties of New Template dialog box, click the General tab.
  6. In the Template display name text box, enter VMware as the name of the new template.
  7. Click the Extensions tab and specify extensions information:
    1. Select Application Policies and click Edit.
    2. Select Server Authentication, click Remove, and click OK.
    3. Select Key Usage and click Edit.
    4. Select the Signature is proof of origin (nonrepudiation) check box.
    5. Leave the default for all other options.
    6. Click OK.
  8. Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
  9. To add the new template to your CA, click Windows Start > Run, enter certsrv.msc, and click OK.
  10. In the Certification Authority window, expand the left pane if it is collapsed. 
  11. Right-click Certificate Templates and select New > Certificate Template to Issue.
  12. In the Enable Certificate Templates dialog box, select the VMware certificate that you just created in the Name column and click OK.