--
When creating certificates using a Microsoft CA for your VMware vSphere environment, you will need to modify the default Web Server template settings to meet published VMware certificate requirements. vSphere 5.0 and earlier had an additional certificate requirement (nonrepudiation) that is not required in vSphere 5.1. This article will show you how to create a Microsoft CA template with all the past and present requirements, so that your bases are covered.
When using default Web Server certificate template it does NOT have Data Encipherment, nonrepudiation, or client authentication enabled. So while the CA will happily issue you a certificate, it will silently ignore the unsupported key usage specified in your CSR, which may cause you problems.
These instructions are based on Windows Server 2012, but all the options are available in prior Enterprise versions of the OS, such as Windows Server 2008 R2. You may have problems with "standard" edition CAs prior to Windows Server 2012, as they lack some certificate features found in Enterprise or higher editions. Windows Server 2012 standard edition has the full compliment of certificate options, so datacenter edition is not required (there is no enterprise edition).
1. Open the Certificate Authority tool. Locate the top Certificate Templates, right click, and select Manage.
2. Locate the web server template and duplicate it.
3. Don't change any of the compatibility settings. Leave it on Windows Server 2003.
4. Since this template will be used for VMware SSL certificates I named the new template appropriately. I also changed the validity period to three years, but the period the certificate is actually issued with depends on other CA properties so it may not be the full period you specify here.
5. Open the Extensions tab, click on Key Usage, then select Signature is proof of origin and Allow Encryption of User data. Note: ESXi 5.1 does not require nonrepudiation or dataencipherment (encryption of user data). But I've enabled them here for backwards compatibility.
6. In the Extensions tab click Application Policies then click Edit. Add the Client Authentication policy. Note: The vCenter 5.1 services do not require the Client Authentication option, but I've included it here for backwards compatibility with vCenter 5.0 and earlier. It appears ESXi 5.1 still wants client authentication.
7. After the template is made, you now have to permit certificates to be minted using that template. Right click on the Certificate Templates node as shown below, select New, then Certificate Template to Issue.
8. Select the VMware SSL template, or whatever name you used. 
9. If everything went as planned you will have a new certificate template type when submitting a CSR. If you don't see your new template, you may not have appropriate CA rights to issue the certificate.
10. To validate everything is working as planned, submit a CSR that has the Data Encipherment, nonrepudiation, and client authentication key requirements, then open the properties of the certificate. As you can see in the screenshots below, our minted certificate has all the required properties.
If you have no idea how to create a CSR with these extra usage options, don't fear, just read my blog post here. You are now ready to issue the proper SSL certificates for all of your vSphere environments.
Hi Derek,
ReplyDelete1st of all I wanted to thank you for your accurate and detailed blog covering the woe's that is 5.1. I have upgraded my vCenter & Update Manager with my CA certificates, but only with the excellent help you provided. Just waiting on Synology fixing their NFS issues which Kendrick Coleman blogged about and I can get fully 5.1'd! :)
I was wondering if you were planning to do anything on Auto Deploy? I've managed to change the CA certificate so the newly deployed nodes take a valid certificate chain but whenever I change the rui.crt & rui.key for the actual server it borks the system. The documentation is extremely light, but I'm sure I'm missing a proper import process like the rest of 5.1.
Keep up the good work, cheers!
Dave
Dave, I still have a few parts left (log browser, VUM) that I need to write up. So those are my first priority. I may get to autodeploy, but I'd just be happy with a rock solid vCenter 5.1 install, which has not yet materialized.
DeleteDerek, I think one other item to set in Step 5 is to add Client Authentication to the Application Policies extension. I don't know if it's really required, but Michael Webster's article says it is mandatory, and it is specified in this VMware KB on preparing openssl config files. http://kb.vmware.com/kb/2015387. The Web Server template is Server Authentication only...
ReplyDeleteLoren, looking at all the VMware self-signed certificates I could find in vSphere 5.1, NONE of them had client authentication enabled. I think this is where VMware is inconsistent in what they say in a KB article and reality. If VMware is shipping 5.1 with no client authentication, then I'm assuming it is not needed or the software would not work.
DeleteHi Derek, thank you very much for your detailed blog.
ReplyDeleteI'm having a problem in step 7 of this article as I can't see the VMwareSSL template I've created.
Hmm...that is odd. Not sure what to say there. Do you have proper permissions?
DeleteI had to stop and start the Active Directory Certificate service to see the Template appear.
DeleteThank you again for your blog, very helpful.
I noticed in your screenshot for step 5, The tick box is checked for "Make this extension critical". Is that needed as well?
ReplyDeleteThanks! Trying to follow your guide to upgrade our vCenter. Such an excellent write up!
That was marked by default, so I left that option checked.
ReplyDeleteThanks for the quick response Derek!
DeleteHi, we signed our CSR's with our OpenSSL CA server using a new template, but the Data Encipherment is showing '(f0)' on our signed certificates. Not '(b0)' as on the certs we are trying to replace, and the above examples.
ReplyDeleteIs this something that will cause problems or can be safely ignored?
I recall seeing F0 on a couple of certs I made, and I think that was when I also enabled client authentication in the CSR. But I could be wrong about that. I would venture to say you are OK.
DeleteWe went ahead and ran some tests in a lab environment and didn't have a problem with the SSO or Inventory SSL certs.
DeleteThanks for the great blog/guide!
Hi Derek,
ReplyDeleteData Encipherment was required for 5.0 but is no longer required for 5.1. When I tested the SSL replacement instructions I used the standard Windows 2003 Web Server Template.
@Michael: Understood, but as long as the official KB articles still show data encipherment in their OpenSSL templates, I'll leave it in. Should they refresh the KBs and remove it, I'll be glad to pull it as well.
ReplyDeleteHi thanks for the guide. I'm having the same problem as David in step 7. I created the template but it's not showing up in the list. I tried stopping and starting the services but it's not helping. Kind of at a stand still here.
ReplyDelete@Andrew: Sounds like a possible permissions error. Just to see if the template can show up at all, you might launch a blank MMC, add the computer certificate snap-in, then request a machine certificate. See if the VMware SSL template shows up.
DeleteHaving the same issue, its most likely because your CA is windows standard. http://www.windowsitpro.com/article/certificates/creating-a-new-certificate-template-in-windows-server-2003-standard-edition-48880
DeleteBut, you can get around that with this command:
Deletecertutil -SetCAtemplates +templatename
Using that certutil command will not help, as you get an error when trying to actually use the template. I ended up having to upgrade my subca from 2003 std to ent. I should not that afterwards IE6 was borked, had to install IE7, uninstall ie7 then it was ok. Of course you have to repatch it all again. To the best of my knowledge you cannot do any of this without a Enterprise ca.
DeleteActually that command will add it, but later when you try to use it an error will pop up. Upgrade to enterprise or do it manually it looks like.
ReplyDeleteIn this you have named the template VMware-SSL but in part 2 of your blog posting you have named it VMwareSSL. Nothing insane but I've been following step by step and couldn't work out why I was getting an error
ReplyDeleteYup, when I refreshed this post I slight changed the template name. Forgot to update #2. I'll circle around and do that. Thanks!
DeleteI also had the issue of not seeing the newly created cert in Step 7-8 to "add" it. And, I am indeed on 2K8 Enterprise (R2 SP1, to be exact). I didn't see it to add in the GUI and thus also didn't see it in the web interface to check that adding it worked. I tried the certutil cmd, which stated it ran 'successfully'. I refreshed my CA server web gui and saw the "VMware-SSL" option in the drop-down, but still didn't see the cert in the GUI (i.e. I again tried to do Rt-click > New > Cert Template to Issue & the "VMware-SSL" cert still doesn't show in the list. Is it supposed to not show if the cmd runs successfully (or, does it no longer show if it is seen & can be done in the GUI/snap-in)?
ReplyDeleteThanks,
Shane