Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

In our last post Setup SSL Certificate Authority For vSphere Lab we saw how to add CA Server Role to a windows server 2008 machine. In this post we will see how to generate certificates.

1: Launch Certificate Authority console from Administrative Tools.


2: Right Click on Certificate Template and click Manage.


3: Select the Windows Authentication Template and right click on it and select Duplicate Template.


4: Select Windows server 2008 Enterprise and hit OK.


5: Give the new certificate template a name. Also we need to change some of the properties of the new template.

I have changed the validity period to 5 years and selected Publish certificate in AD and Do not automatically reenroll option.


6: Go to Security tab and  change the “Domain Computers” permissions to read and autoenroll the certificate.


7: Go to Extensions Tab and change the Application Policies to include both Client and Server Authentication.

Select Application Policies and click on Edit.


Click on Add button to see list of policy available


From the Add Application Policy list select “Server Authentication” and click OK.


Once Server Authentication policy is added hit OK.


8: Under Subject Name tab, add the UPN checkbox and hit Apply OK.


9: Now again go back to the Certificate Authority MMC.  Right click on the Certificate Template Folder and choose New–> Certificate Template to Issue.


10: Select the certificate template that we have just created and hit OK.


Creating Group Policy

Now to enable computers to automatically grab the certificates which we created and install them as trusted certificates we have to create a group policy.

If you remember during certificate Template creation we have selected  “Autoenroll”. That doesn’t do anything until we configure a GPO to tell the computers to look for these certs.

11: To create a new group policy, go to Run and type “gpedit.msc“. Navigate to Windows Settings > Security Policies > Public Key Policies and select Certificate Services Client-Auto Enrollment and right click to open properties.


12: Under Configuration Model select “Enabled” and select the options Renew expired certificates and update certificates that use certificate template. Click on Apply OK.


13:Now select “Certificate Services Client-Certificate Enrollment Policy” and right click to open properties. Under Configuration Model select Enabled and Checkmark the box in front of Active Directory Enrollment. Hit Apply OK.


Now we have created certificates and selected the appropriate policies. In our next post we will see how to generate signed certificates for use in our vSphere Infrastructure.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable 🙂


About Alex Hunt

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
This entry was posted in SSL Certficates. Bookmark the permalink.

One Response to Setup SSL Certificates For vSphere Lab-Part-2-Creating Certificate templates

  1. Pingback: Newsletter: October 31, 2015 | Notes from MWhite

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s