“nasty” SSL/SSO lab exerices – lab 2
After lab 1 was done a small coffee break directly leads into lab 2 showing the students on how to check if a specific VMware certificate template was created.
The whole process is also publicly described in the following kb article.
The lab is split into several tasks so that students get into the habit of doing one thing after the other in logical blocks and instead of needing to remember a long series of tasks only have to remember the grand scheme of everything as the single tasks are pretty much straight forward most of the time.
Task 1: Checking if a VMware certificate template is available
This task makes the students familiar with the (optional) Microsoft CA Web Enrollment. Using either Chrome or Internet Explorer the following web page will be opened: http://dc.training.local/certsrv which loads the default Web Enrollment page. From here several tasks can be done, like issuing new certificate requests, review pending requests or downloading the CA certificate or full CA chain, if intermediate CAs are being utilized.
For now we are only concerned with the “Request a certificate” option.
On the next screen we want to take a look at an “advanced certificate request”. Expand the “Certificate Template” drop down menu to see that there is no VMware specific certificate template yet.
Depending on the actual resource usage of the system the browser might crash due to the low memory assignments of the virtual machine. I would recommend following the process on the domain controller itself or increasing the swap file to 4 GB on the vCenter server if you have the disk space.
Task 2: Creating a new VMware specific certificate template
On the domain controller (dc.training.local) open the Server Manager, extend the Server Roles and the Active Directory Certificate Services role. Find the “Certificate Templates” option and look for the “Web Server” certificate template. Right click that template and choose “Duplicate Template”, we do want “Windows Server 2003 Enterprise” for the radio button choice so that the template will be available through web enrollment without any further configuration. On the new pop up window rename the template to something useful like “VMware Certificate”.
Next take a look at the “Request handling” tab. Some solutions like Horizon View demand that the private key of the certificate is exportable. You would set this in this tab. For our exercise this is not needed so the checkbox will remain empty.
On the “Extensions” tab add the “Client Authentication” option to the “Application Policies”. For the key usage choose the following parameters.
Save by confirming all Windows with “OK”. You should see your new template added in the “Certificate Templates” window now. Next we are going to add the template to our CA. Expand the “training-DC-CA” and open the “Certificate Template” option. Right-click in the center pane and choose “New” and then the only option of “Certificate Template to Issue”.
In the pop up window scroll down and find the freshly created “VMware Certificate” template and add it to the CA by clicking “OK”.
Task 3: Re-Checking if a VMware certificate template is available
During this task the students will simply repeat the steps from task 1 to see if anything changed. It might take a couple of minutes but if the steps were followed correctly the “VMware Certificate” option should now be available to choose when requesting a new certificate using web enrollment like shown below.
This concludes the second lab for the students.
Recap on what the lab intended to teach:
- Familiarity with the Microsoft CA Web Enrollment web page
- Basic understanding of certificate templates
- How to check a template for the required values
- How to publish a template to the Web Enrollment web page