In this blog post we will go over the steps outlined in the VMware Knowledgebase article 2112009 for the creation Machine SSL and Solution User certificates in a Microsoft Certificate Authority (CA). The next blog on replacing the Machine SSL certificate will reference this blog.
What’s a “Machine SSL certificate”?
The Machine SSL certificate is the certificate you get when you open the vSphere Web Client in a web browser. It is used by the reverse proxy service on every management node, Platform Services Controller, and embedded deployment. You can replace the certificate on each node with a custom certificate.
What’s a “Solution User”?
A solution user is a collection of services. Several vCenter Server solution users are predefined and authenticate to vCenter Single Sign-On.
The steps are pretty straightforward. The requirements are that you are running a Windows Server and have a working Certificate Authority role configured. In my example, I used a Windows 2012 server running as a virtual machine on my Mac via VMware Fusion. You can use other versions of Windows and the UI is pretty much the same.
If you want to try this out yourself in a lab environment, check out my Powershell script for building a Windows 2012 Domain Controller. available on GitHub. The latest version of the script also sets up the system as a certificate authority using the following Powershell commands. (Windows 2012 only)
Write-Host "Set up Certificate Manager"
Write-Host "Add CA role"
Write-Host "Create CA"
Install-AdcsCertificationAuthority -CACommonName "Root CA" -CAType StandaloneRootCA -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" -HashAlgorithmName SHA1 -KeyLength 2048 -ValidityPeriod Years -ValidityPeriodUnits 20 -force
Creating a new template for vSphere 6.0 to use for Machine SSL and Solution User certificates
What you’ll want to do first is log into your Windows server, click Start > Run and type certtmpl.msc and click OK. This starts up the Certificates Templates Console. You’ll see a laundry list of different certificate templates from Domain Controller to Smartcard Logon and more. We’ll be creating a new template for use by the Machine SSL and Solution Users certificates. These are what we’ll submit our Certificate Signing Requests (CSR’s) against. Let’s configure the template.
In the Certificate Template Console, under Template Display Name, right-click Web Server and click Duplicate Template.
In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
- The UI may not show “Windows Server 2003 Enterprise” unless you are running an Enterprise edition of Windows. Select “Windows 2003” as seen below.
- If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
Click the General tab. In the Template display name field, enter vSphere 6.0 as the name of the new template.
Click the Extensions tab. Select Application Policies and click Edit. Select Server Authentication and click on Remove and then OK.
Select Key Usage and click Edit. Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.
Click the Subject Name tab. Ensure that the Supply in the request option is selected. Click OK to save the template.
Adding a new template to certificate templates
Now that we have created the certificate template for vSphere 6.0 to use for Machine SSL and Solution User certificates it’s time to add them to the list of template that we can select when submitting our CSR’s.
From the server desktop, Click Start > Run, type certsrv.msc, and click OK.
In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + or ▹ icon.
Right-click Certificate Templates and click New > Certificate Template to Issue.
Locate vSphere 6.0 under the Name column and then Click OK.
(Example shown uses “vSphere 6 test” because “vSphere 6.0” was already issued during a previous lab setup)
You now have created a new vSphere 6 Certificate Template for use in creating Machine SSL or vSphere Solution User Certificates. These templates will be used in a future blog post where we will replace the Machine SSL certificate while leaving VMCA to issue certificates to ESXi hosts and Solution Users.
I hope this was helpful. Let me know if it was and if you want to see more blogs like this.