The first step in certificate generation and replacement is setting up a Microsoft Certificate Authority template on the Active Directory (AD) servers for the region. The template contains the certificate authority (CA) attributes for signing certificates of VMware SDDC solutions. After you create the template, you add it to the certificate templates of the Microsoft CA.

Creating a certificate authority template for this VMware Validated Design includes the following operations:

  1. Set up a Microsoft Certificate Authority template. 

  2. Add the new template to the certificate templates of the Microsoft CA.


This VMware Validated Design sets the Certificate Authority service on the Active Directory (AD) dc01rpl.rainpole.local (root CA) server. The AD server is running on the Microsoft Windows Server 2012 R2 operating system.
  • Verify that you installed Microsoft Server 2012 R2 VM with Active Directory Domain Services enabled.

  • Verify that the Certificate Authority Service role and the Certificate Authority Web Enrollment role are installed and configured on the Active Directory Server.

  • Use a hashing algorithm of SHA-256 or higher on the certificate authority.


  1. Log in to the rainpole.local AD server by using a Remote Desktop Protocol (RDP) client.
    1. Open an RDP connection to dc01rpl.rainpole.local.
    2. Use the following credentials.



      User name

      Active directory administrator



  2. Click Windows Start > Run, enter certtmpl.msc, and click OK
  3. In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
  4. In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for backward compatibility and click OK
  5. In the Properties of New Template dialog box, click the General tab.
  6. In the Template display name text box, enter VMware as the name of the new template.
  7. Click the Extensions tab and specify extensions information.
    1. Select Application Policies and click Edit.
    2. Select Server Authentication, click Remove, and click OK.
    3. Select Key Usage and click Edit.
    4. Select the Signature is proof of origin (nonrepudiation) check box.
    5. Leave the default for all other options.
    6. Click OK.
  8. Click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template.
  9. To add the new template to your CA, click Windows Start > Run, enter certsrv.msc, and click OK.
  10. In the Certification Authority window, expand the left pane if it is collapsed. 
  11. Right-click Certificate Templates and select New > Certificate Template to Issue.
  12. In the Name column of the Enable Certificate Templates dialog box, select the VMware certificate that you created and click OK.