Setup SSL Certificates For vSphere Lab-Part-1-Configuring CA Server

This week I was looking for setting up CA Server for generating SSL certificates which can be used in my vSphere Home Lab. Using Self-Signed certificates usually work in a lab environment, but its good to know how to work with signed certificates as in production environment organizations don’t use self-signed certificates and rely on SSL certificates bought from 3rd party like Thawte or Verisign.

Having your own CA is useful for testing SSL and other services that require certificates without the need to purchase certificates from a third party.  However, these certificates will not be automatically trusted by computers external to your AD domain, so there are some limitations.

In this post I am going to share the steps needed to configure a Windows 2008 R2 Server as Certificate Authority.


  • Active Directory Domain already setup and configured
  • Server 2008 installed and joined to domain

Lets begin with configuring Server 2008 as CA server.

1: Launch Server Manager and click on Add Roles. From the list of roles available select “Active Directory Certificate Service” and hit Next.


2: Hit Next on Introduction to AD CS page.


3: Under Role Services select “Certification Authority” and hit Next.


4: Select “Enterprise” as setup type for your CA server and hit Next.

For SSL deep dive I would recommend reading this Article by Derek Seamen.


5: Under Specify CA type select “Root CA” and hit Next.


6: This is a new CA without existing keys so select Create an new private key and hit Next.


7: Keep the default CSP, hashing method, and key length and hit Next.


8: Keep the default CA name and hit Next.


9: Keep the default validity period of 5 years and hit Next.


10: Dont change the default database location for certs unless you have specific requirements. Hit Next.


11: Click on Install button on Confirm Installation Selections page.


12: Wait for installation to finish.


Installing Certification Authority Web Enrollment service

The Web Enrollment service is very useful while making requests for certificates from computers that are not members of AD domain.

Once “Certificate Authority” role is installed completely, you can add Certification Authority Web Enrollment service to it from server manager page.

13: Click on Add Role Services.


14: Under Role Services select “Certification Authority Web Enrollment” and hit Next.`


15: Click on Add Required Role Services button to add the IIS services.


16: On IIS page hit Next.


17: Keep the default selection and hit Next. If you have specific requirements you can add additional options by selecting the appropriate components check boxes.


18: Hit Next to start installing the services and components.


19: Hit Close once the components are installed.


With this installation of CA Server role has finished. In our Next post we will see how to configure and use signed certificates.

Additional References:

1: Install an Enterprise Certificate Authority in Windows 2008 R2

2: Create a Windows Enterprise CA and issue certificates for vRA and other VMware Products with examples

3: Install Certification Authority in Windows Server 2008 R2

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂


About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in SSL Certficates. Bookmark the permalink.

5 Responses to Setup SSL Certificates For vSphere Lab-Part-1-Configuring CA Server

  1. Pingback: Setup SSL Certificate Authority For vSphere Lab-Part-2-Creating Certificates | Go Virtual.

  2. Pingback: Setup SSL Certificate Authority For vSphere Lab-Part-2-Creating Certificate templates | Go Virtual.

  3. Pingback: Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates | Go Virtual.

  4. Pingback: Newsletter: October 31, 2015 | Notes from MWhite

  5. Pingback: Setup CA Server for vSphere Lab- Say Good Bye to Self-Signed Certs | Virtual Reality

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s