How to create certificates for VMware View (and others) using a Windows CA

This is a rather short post for a checklist respectively a step-list of things you should know/do to create certificates for VMware products like VMware View. The steps in this post should work for Windows 2008 and later. Furthermore you can use Step 1 and 2 for other products next to VMware View like vSphere.

If you don’t have a Windows CA but want to use it to assign certificates, you have to create it. You can either install it onto a domain controller or a member sever. When you install the CA onto a domain controller, you have to remove the CA before you demote the domain controller. This is the only limitation I know respectively I was told. But it is quite easy to move the CA to another server within the domain. So the limitation is important to know but it is no showstopper!

  1. Install a Windows CA if not already exists
    1. Add the role Active Directory Certificate Services to a server.
      • Install and configure CA to meet your requirements.
    2. Export the root-certificate into a text-file.
    3. Create a GPO to share the certificate as Trusted Root Certification Authority within the domain. To do this import the certificate into the GPO beneath Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities.
    4. Link the GPO to the AD level you need it.
    5. Check that the certificate is installed as Trusted Root Certification Authorities on domain members.
  2. Create a certificate template for VMware products. This Step is optional but it is quite useful if you plan to create more than one certificate.
    1. Log into Windows CA using mmc.exe.
    2. Manage Certificate Templates.
    3. Duplicate Web Server template and configure the copy:
      • Leave compatibility to Windows Server 2003.
      • Rename the copy and set a recognizable name.
      • You can change validity and renewal period.
      • For older versions (for example vSphere 5.0) consider to set Signature is proof of origin (nonrepudiation) and Allow encryption of user data in Extensions –> Key Usage. Furthermore add Client Authentication in Extensions –> Application Policies.
      • To enable the creation of SAN certificates, ensure Subject Name –> Supply in the request is selected.
      • Add the groups of computer accounts in Security and allow them to Read and Enroll the template.
    4. To enable it, you have to issue the template using New –> Certificate Template to Issue.
    5. Now domain members should be able to select the template for requesting certificates.
  3. Request a certificate for View Connection Server.
    I will describe the way to use mmc.exe to request a certificate, because this is a quite simple way.

    1. Open the local computer certificate store using mmc.exe
    2. Open the Personal folder and Request New Certificate… and select the newly created template to configure the required settings:
      • In tab Subject add FQDN as Common name and as type DNS beneath Alternative name. Also add the hostname as type DNS. If you plan to provide your user a single hostname to connect to more than one connection server, provide the FQDN as DNS too.
      • In tab General set “vdm” as Friendly name.
      • In tab Private Key enable Make private key exportable beneath Key options.
    3. Enroll the certificate.
    4. Check the personal certificates of the server. If there is more than one certificate using freindly name “vdm”, delete the unwanted self signed certificate.

That’s it!

Leave a Reply

Your email address will not be published. Required fields are marked *