Monthly Archives: September 2016

Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority:

  1. Launch the vSphere 6.0 Certificate Manager using:
    Windows Platform Service Controller:
    C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  2. Select Option 2(Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
  3. vmca
  4. Provide the administrator@vsphere.localpassword when prompted.
  5. Provide appropriate details
  6. Select Option 1(Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
  7. Your new CSR is in the folder you specified titled “vmca_signing_cert.csr” with its corresponding key file.
    1. Login to Windows Certificate Authority https://<CA Name>/certsrvand sign the certificate with Certificate Template
      1. Creating a new template for vSphere 6.0 to use for VMCA as a Subordinate CA
      2. Connecting to the CA server
      3. Click Start > Run, type certtmpl.msc, and click OK.
      4. In the Certificate Template Console, under Template Display Name, right-click Subordinate Certificate Authority and click Duplicate Template.
      5. In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
      6. If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
      7. Click the General tab.
      8. In the Template display name field, enter the name of the new template.
      9. Ensure Publish certificate in Active Directory is selected.
      10. Click the Extensions tab.
      11. Select Key Usage and click Edit.
      12. Ensure that Digital Signature, Certificate signing and CRL signing are enabled.
      13. Ensure that Make this extension critical is enabled.
      14. Click OK.
      15. Click OK to save the template.
      16. Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.
      17. Adding a new template to certificate templates
      18. Connecting to the CA server
      19. Click Start > Run, type certsrv.msc, and click OK.
      20. In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.
      21. Right-click Certificate Templates and click New > Certificate Template to Issue.
      22. Locate vSphere 6.0 or vSphere 6.0 VMCA under the Name column.
      23. Click OK.
  1. Select Base64 Encoded and download the chain.
  2. Open .p7b certificate and export both certificates as Base64.
  3. Create a chain file called root_signing_chain.cer by running the following command to concatenate the new leaf (vmca) certificate, and the root certificate.
  4. copy root_signing_cert.cer + root64.cer root_signing_chain.cer
  5. Return to the vSphere 6.0 Certificate Manager and select Option 1(Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
  6. Provide the full path to the root_signing_chain.cer and vmca_signing_cert.key.
  7. Once the import is done Login to Platfor Service Controller Web console https://<PSC Serrver>/webssoand check the certificates.