- Launch the vSphere 6.0 Certificate Manager using:
Windows Platform Service Controller:
C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager - Select Option 2(Replace VMCA Root certificate with Custom Signing Certificate and replace all Certificates)
- Provide the administrator@vsphere.localpassword when prompted.
- Provide appropriate details
- Select Option 1(Generate Certificate Signing Request(s) and Key(s) for VMCA Root Signing certificate)
- Your new CSR is in the folder you specified titled “vmca_signing_cert.csr” with its corresponding key file.
- Login to Windows Certificate Authority https://<CA Name>/certsrvand sign the certificate with Certificate Template
- Creating a new template for vSphere 6.0 to use for VMCA as a Subordinate CA
- Connecting to the CA server
- Click Start > Run, type certtmpl.msc, and click OK.
- In the Certificate Template Console, under Template Display Name, right-click Subordinate Certificate Authority and click Duplicate Template.
- In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
- If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
- Click the General tab.
- In the Template display name field, enter the name of the new template.
- Ensure Publish certificate in Active Directory is selected.
- Click the Extensions tab.
- Select Key Usage and click Edit.
- Ensure that Digital Signature, Certificate signing and CRL signing are enabled.
- Ensure that Make this extension critical is enabled.
- Click OK.
- Click OK to save the template.
- Proceed to Adding a new template to certificate templates section in the article to make the newly created certificate template available.
- Adding a new template to certificate templates
- Connecting to the CA server
- Click Start > Run, type certsrv.msc, and click OK.
- In the left pane of the Certificate Console, if collapsed, expand the node by clicking the + icon.
- Right-click Certificate Templates and click New > Certificate Template to Issue.
- Locate vSphere 6.0 or vSphere 6.0 VMCA under the Name column.
- Click OK.
- Select Base64 Encoded and download the chain.
- Open .p7b certificate and export both certificates as Base64.
- Create a chain file called root_signing_chain.cer by running the following command to concatenate the new leaf (vmca) certificate, and the root certificate.
- copy root_signing_cert.cer + root64.cer root_signing_chain.cer
- Return to the vSphere 6.0 Certificate Manager and select Option 1(Continue to importing Custom certificate(s) and key(s) for VMCA Root Signing certificate).
- Provide the full path to the root_signing_chain.cer and vmca_signing_cert.key.
- Once the import is done Login to Platfor Service Controller Web console https://<PSC Serrver>/webssoand check the certificates.
Advertisements
Tagged: Platform Service Controller, VMCA, VMCA Certificate Template, VMCA Root Signing certificate, VMware Certificate Authority, vSphere 6.0 Certificate Manager
[…] via Configuring VMware vSphere 6.0 VMware Certificate Authority as a subordinate Certificate Authority: … […]
LikeLike