Preparing a Microsoft CA SSL Certificate Template for vSphere 5.x

Creating an SSL certificate for either VMware vCenter or ESXi requires some specific properties from the Template that will be used to generate them (as shown here).

As stated in the KB:
Starting from Windows Server 2008 and later some properties are no longer present on the Web Server template by default such as:

• Data Encipherment
• Nonrepudiation
• Client Authentication

While vSphere 5.0 requires the use of Nonrepudiation and Client Authentication on the Generated Certificate vSphere 5.1 and 5.5 only require Data Encipherment on them.

Note that it won't hurt to have properties like Nonrepudiation or Client Authentication on 5.1 or 5.5 environments.

Keep in mind that if you plan on using a custom SSL Certificate for VMware Site Recovery Manager (SRM) then you need those properties on the template:

• Client Authentication
• Allow private key to be exported

So let's get started!

First of all let's go in our Certification Authority to find our Certificate Templates And select Manage from the contextual menu (or you may use the shortcut certtmpl.msc to go straight to the template console)

Now let's duplicate our Web Server template by using the contextual menu action Duplicate Template

Make sure to select Windows Server 2003 Enterprise as a Minimal Supported CA

Alright, the template just has to be tuned by now!

In the main windows we're going to name our template VMware SSL (note the difference between the display name and the template name, the display name has an escape character while the template name doesn't).

The template name shall be used by tools like certreq, so all upcoming requests shall be adressed to VMwareSSL.

In the Extensions tab we'll start by adding the Client Authentication to the Application Policies (Client Authentication is only needed for vSphere 5.0 but it won't hurt to add it).

Note that VMware Site Recovery Manager (SRM) need the Client Authentication property.

Next we're going to Edit the Key Usage and tick Allow encryption of user data and optionally if you're still on vSphere 5.0 (or below) Signature is proof of origin (nonrepudiation)

If you plan on having and replacing the SSL Certificates for VMware Site Recovery Manager (SRM) in your Infrastructure then make sure that Allow private key to be exported is selected (You can also create another template for it).

Let's make sure that Supply in the request is selected in the Subject Name and we're done

The template is now created. All that's left to do is Issue it to the available Certificate Template of the CA.

Let's Issue the template by using New >> Certificate Template to Issue  from the contextual menu over the Certificate Templates folder

Here we simply select our VMware SSL template and we click on Ok.

Our template is now ready to be used!