Setting up a small lab CA on Windows 2008 R2 for vSphere certificate replacement
Derek Seaman has done a great job describing on how to create a template for VMware View on 2008 and how to set up an intermediate CA structure in Windows Server 2012R2.
I tried going through the latter and found the procedure pretty elaborate for my own lab purposes so I thought about setting up a CA that still will work with his SSL toolkit but would be set up in about 10 minutes.
Since this is a lab setup I am basically going to ignore every security recommendation and leave a lot of setup steps at default, the goal is to get up and running within a couple of minutes without wasting too much time on configuration.
I will therefore install the CA services on my domain controller just to save some space and not to spin off yet another VM to take up resources.
The domain controller itself is configured with 1 vCPU and 512 MB of RAM and since there are only my certificate requests incoming does perform pretty well.
As the first step we are calling the “Add roles” wizard from Server Manager and the role we are going for is obviously the “Active Directory Certificate Services”. On the next screen we are going to choose the role services we need, in our case that is “Certificate Authority” to be actually able to sign the certificates and “Certificate Authority Web Enrollment” to get the ease of use for the CA web page so we can either manually request the certs without having to change machines or use the toolkit mentioned above.
For the rest of the wizard I basically chose all default settings, except for the hash algorithm which I put to “SHA512”. You can see a summary of all the settings in the screenshot below.
In the role manager we now have the “Active Directory Certificates Services” to manage and the next step is to go to the “Certificates Templates”, right click the “Web Server” template and choose “Duplicate Template”. The option you want to go for is “Windows Server 2003 Enterprise”. Name the template accordingly, preferably without spaces, I chose “VMware-SSL” for mine as this is the default in the toolkit and less I need to change in my lab, the more I prefer that kind of option 🙂
To meet the requirements for vSphere certificates you will need to edit the template slightly though. First go to the “Extensions” tab, click on “Edit…” and add the “Client Authentication”.
Next up we want to edit the “Key Usage” extension to include the “Allow encryption of user data” option.
This should complete the general template, the only thing left now is to actually publish this template through our web enrollment as well. We therefore would expand all the options for our little CA in Server Manager, where we would find folders for all issues certificates, requests etc. and also the certificate templates as well. Right click the “Certificates Templates” folder and choose “New”, there will be only 1 option that let’s you choose the “Certificate template to issue”. From the wizard that pops up we would choose the VMware-SSL template and then we are ready to go.
As a quick confirmation you can visit the website http://fqdn_of_dc/certsrv, choose “Request a certificate” -> “Advanced certificate request” -> “Submit a certificate request by submitting …”. The new template should then be visible in the “Certificates templates” drop down menu.
The last step would be to see if the CA now can actually issue certificates the way we need them to be. The easiest way to do so would be to download the above mentioned toolkit, edit the settings in the configuration accordingly (I also had to change the default encoding in line 522 to ASCII, otherwise copying together the PEM files would not work in my environment) and then simply run it with option 1. And sure enough the certs are looking good and the PEM is also copied correctly (can be seen by the PEM file being 4 KB instead of just 2).