VMware has provided new SSL template guidance for vSphere 6.0. New to vSphere 6.0 are machine SSL certificates, solution user certificates, and using the VMCA as a subordinate CA. If you are using an enterprise Microsoft CA, then this article is for you. I’ll show you how to create the new templates and publish them within your CA. You can then go into my vCenter Toolkit and change the template names to match. If you are not using a Microsoft CA, then you are on your own for creating the right templates in your particular CA. Again, you shouldn’t be using a public CA for these certificates. Use an internal enterprise CA.
April 2, 2015Â Update: VMware has informed me that VUM 6.0 MUST use the old vSphere 5.5 certificate template. VUM 6.0 is NOT compatible with the new machine certificate template which debuted in 6.0. So jump to my 5.5 SSL template guide here and create the VMware-SSL template if it does not exist in your environment. If you followed my 5.5 guide and already have the template, then you are set.
Blog Series
vSphere 6.0 Install Pt. 1: Introduction
vSphere 6.0 Install Pt. 2: Platform Services Controller
vSphere 6.0 Install Pt. 3: Certificate Management
vSphere 6.0Â Install Pt. 4: vCenter Upgrade Best Practices
vSphere 6.0 Install Pt. 5: ESXi Upgrade Best Practices
vSphere 6.0 Install Pt. 6: Install Windows PSC
vSphere 6.0 Install Pt. 7: Config SQL DBs
vSphere 6.0 Install Pt. 8:Â Toolkit Configuration
vSphere 6.0 Install Pt. 9: SSL Templates
vSphere 6.0 Install Pt. 10: Install VCSA PSC
vSphere 6.0 Install Pt. 11: VMCAÂ as Subordinate
vSphere 6.0 Install Pt. 12: PSC Machine Certificate
vSphere 6.0 Install Pt. 13: Directory Services Certificate
vSphere 6.0 Install Pt. 14: Windows vCenter Install
Permalink to this series:Â vexpert.me/Derek60
Permalink to my Toolkit script: vexpert.me/toolkit60
Machine SSL and Solution User Certificates
1. Login to your issuing CA and launch the Certificate Authority MMC snap-in.
2. Locate the Certificate Templates folder, right click, and select Manage.
4. Click on the General tab and name it “vSphere 6.0”. You will use the “Template name” in my Toolkit script as the template name, FYI. 
5. Click on the Extension tab, click on Application Policies, then Edit. Remove Server Authentication and click OK.
6. Select Key Usage, then click on Edit. Check the box next to nonrepudiation.
7. Click on Subject name. Ensure that “Supply in the request” is selected.
8. Click on the Compatibility tab and ensure the Windows server 2003 is selected for both options. Even if you are running a newer CA, don’t select later CA options.
9. Close the Certificate Templates console window, right click on Certificate Templates, select New, then Certificate Template to Issue. Find the vSphere 6.0 template and select it. Click OK.
VMCA Subordinate Template
You only need this template if you will be using the VMCA as a subordinate CA to your enterprise CAs. If you are going to be using fully custom SSL certificates without the VMCA, you can skip this template.
1. Login to your issuing CA and launch the Certificate Authority MMC snap-in.
2. Locate the Certificate Templates folder, right click, and select Manage.
3. Locate the “Subordinate Certificate Authority” template, right click, and select Duplicate.
4. On the General tab change the name to “vSphere 6.0 VMCA”. Also, it’s important to check the box to publish the certificate to Active Directory. This will ensure all computer trust your VMCA. For my Toolkit script you will use the template name of “vSphere6.0VMCA” (no spaces).
5. Click on the Compatibility tab and change both compatibility settings to Windows Server 2008. This enables hashing algorithms stronger than SHA1 to be used.
6. Click on the Extensions tab. Select Key usage and click Edit. Verify that all the options shown below are checked.
7. Close the Certificate Templates console window, right click on Certificate Templates, select New, then Certificate Template to Issue. Find the vSphere 6.0 VMCA template and select it. Click OK.
Summary
VMware has changed the security template requirements in vSphere 6.0. They’ve also introduced a new template requirement, if you are going to be using the VMCA as a subordinate CA. You need both templates if you are going to take full advantage of the new certificate features in vSphere 6.0. If you still have a VMware SSL template from prior versions, keep it around, in case you need to re-issue certs for your legacy environment. Remember to update the variables in my Toolkit script to match the new template names.
Next up in this series is installing a VCSA-based PSC, in case you want to go that route versus using a Windows PSC. You can find that article here.
Before 6.0 the MS CA was the only approach. VMware gave us the option for a third party CA, but you say we should still use the MS CA. Can you expand on that with pros/cons/constraints/risks?
Well it's really up to you whether you want to configure the VMCA to be a subordinate to your enterprise CA. A lot that will depend on your current organization policies and whether they would even allow just a configuration. The VMCA approach is easier and more automated, so if you can go that route I would recommend it. If you are prohibited by policy to stand up your own subordinate CA, then the full custom SSL route is your only option.