In any enterprise environment, small or large, you should always used trusted SSL certificates for your VMware components. Very commonly people want to use a Microsoft Certificate Authority (CA). But, VMware requires certain properties be present in the SSL certificate to properly function. So you need to create a custom VMware certificate template in your CA to accommodate the key requirements.
You will need to modify the default Microsoft CA Web Server template settings to meet published VMware certificate requirements. vSphere 5.0 and earlier had an additional certificate requirement (nonrepudiation) that is not required in vSphere 5.1. This article will show you how to create a Microsoft CA template with all the past and present requirements, so that your bases are covered.
The default Web Server certificate template it does NOT have Data Encipherment, nonrepudiation, or client authentication enabled. Depending on the version of vSphere you are using, one or more of these properties may be required. So while the CA will happily issue you a certificate if you request these features, it will silently ignore the unsupported key usage specified in your CSR, which may cause you problems.
These instructions are based on Windows Server 2012, but all the options are available in prior Enterprise versions of the OS, such as Windows Server 2008 R2. You may have problems with “standard” edition CAs prior to Windows Server 2012, as they lack some certificate features found in Enterprise or higher editions. Windows Server 2012 standard edition has the full compliment of certificate options, so datacenter edition is not required (there is no enterprise edition).
If you are interested in the full 15-part vCenter 5.1 installation series with trusted SSL certificates, click here.
VMware Certificate Template Creation
1. Open the Certificate Authority tool. Locate the top Certificate Templates, right click, and select Manage.
2. Locate the web server template and duplicate it.
3. Don’t change any of the compatibility settings. Leave it on Windows Server 2003.
4. Since this template will be used for VMware SSL certificates I named the new template appropriately. I also changed the validity period to three years, but the period the certificate is actually issued with depends on other CA properties so it may not be the full period you specify here.
5. Open the Extensions tab, click on Key Usage, then select Signature is proof of origin and Allow Encryption of User data. Note: ESXi 5.1 does not require nonrepudiation or dataencipherment (encryption of user data). But I’ve enabled them here for backwards compatibility.
6. In the Extensions tab click Application Policies then click Edit. Add the Client Authentication policy. Note: The vCenter 5.1 services do not require the Client Authentication option, but I’ve included it here for backwards compatibility with vCenter 5.0 and earlier. It appears ESXi 5.1 still wants client authentication.
7. On the Subject Name tab make sure Supply in the request is selected (it is by default). This will let us issue certificates with a SAN (subject alternative name).
8. After the template is made, you now have to permit certificates to be minted using that template. Right click on the Certificate Templates node as shown below, select New, then Certificate Template to Issue.
9. Select the VMware SSL template, or whatever name you used.
10. If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.
11. To validate everything is working as planned, submit a CSR that has the Data Encipherment, nonrepudiation, and client authentication key requirements, then open the properties of the certificate. As you can see in the screenshots below, our minted certificate has all the required properties. If you have no idea how to create a CSR with these extra usage options, don’t fear, just read my blog post here
. You are now ready to issue the proper SSL certificates for all of your vSphere environments.
Congrats! You now have a VMware certificate template that you can use with all modern versions of vSphere without fear of ignoring an important key usage attribute.