When installing vCAC in a distributed / load balanced way it is not possible to use self-signed certificates to get everything working correctly (wildcard certs are not supported either). Therefore, correct certificates have to be generated for your environment and then issued for the various vCAC components. In a production environment the Public Key Infrastructure (PKI) would ideally be an Offline Root CA server with a second server provisioned as an Online Issuing Certificate Authority. In my lab environment I don’t have the capacity for this so my online Domain controller will be an Enterprise Root CA. There wont be a secondary issuing server. I will also assume that you are setting up a PKI for the first time and it’s not already installed
Step 1: Create A CAPolicy.inf File
Before installing Active Directory Certificate Services you can create a CAPolicy.inf file that defines certain default values you want the PKI to adhere to. In my case i was strong encryption with long validity so I don’t ever have to worry about replacing anything later.
The file should be created as %windir%\CAPolicy.inf and contain the values you require. In my case it looks like:
[Version] Signature="$Windows NT$" [Certsrv_Server] Renewalkeylength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=40 CRLPeriod=Years CRLPeriodUnits=20 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0
This specifies a key length of 4096 bit (strong) with a 40 year validity period and a 20 year period for Certificate Revocation Lists. Delta CRLs are disabled for simplicity!
NOTE: I believe this file is only used if the GUI configuration of the CA is followed. If using PS as below these settings need to be configured manually.
Step 2: Install Active Directory Certificate Services
I prefer to add features to Windows using PowerShell as it means I don’t have to keep clicking Next every few seconds. The commands I use going forward only work on Windows Server 2012 upwards (sorry). If you are running 2008R2 or older you’ll have to install the roles and features the old way. Also note that the method below requires the server I am installing on be a Domain Controller.
To install AD-CS Open up a PowerShell Window (ensure it’s running as an administrator) and run the command:
This will install the feature pretty quickly. A progress bar will appear if the command works:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -KeyLength 4096 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 40 -CACommonName "LabDC01-EntRootCA" -CADistinguishedNameSuffix "DC=lab,DC=local" -CryptoProviderName "Microsoft Strong Cryptographic Provider"
Remember, you can use the –whatif switch to check that the command is valid and to see what it will do.
Right clicking on the root server (should have a green tick by it) and selecting Properties and then View Certificate.
If all is well you should notice that, in the details tab, the Public Key field is set at 4096 and the validity period is indeed 40 years.There is a little more configuration required to set up the publication URLs, CRLs and disable Delta CRLs. The commands below need to be entered (modify for your use
certutil.exe –setreg CA\CRLPublicationURLs “1:C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.lab.local/pki/%3%8.crl” certutil.exe –setreg CA\CACertPublicationURLs “2:http://pki.lab.local/pki/%1_%3%4.crt” certutil.exe –setreg CA\CRLPeriodUnits 20 certutil.exe –setreg CA\CRLPeriod “Years” certutil.exe –setreg CA\CRLDeltaPeriodUnits 0 certutil.exe –setreg CA\CRLDeltaPeriod “Days” certutil.exe –setreg CA\CRLOverlapPeriodUnits 4 certutil.exe –setreg CA\CRLOverlapPeriod “Weeks” certutil.exe –setreg CA\ValidityPeriodUnits 40 certutil.exe –setreg CA\ValidityPeriod “Years” certutil.exe –setreg CA\DSConfigDN “DC=lab,DC=local” Restart-Service certsvc certutil -crl
As an example you should get output similar to the screenshot below if the commands complete successfully.Now, if you check: C:\Windows\System32\CertSrv\CertEnroll You should see your root certificate all present and correct.
Now, to be able to issue the correct type of certificates for vCAC (it has very specific requirements according to the docs) we need to create an new Certificate Template. This done by launching the Certificate Authority utility on your issuing CA (In my case this is the Enterprise Root CA installed above).
Expand the Certification Authority tree and right click on Certificate Templates. Now select Manage from the context menu. This will open up the Certificate Templates Console. Scroll down the list and select Web Server. Right click and select Duplicate Template. (Shown Below).
In the general tab change the information to that shown below. Specifically, make sure the Publish certificate in Active Directory check box is selected and that the validity periods are right for your environment (I don’t want to bother replacing them so have set it long).
Now select the Extensions tab, select Key Usage and ensure the options shown below are checked.Click OK and then, still in the Extensions tab, select Application Policies and then Edit. Click add and then select Client Authentication and then OK.
Step 4: Publish The New Web Enrollment Template
Still logged on to your Issuing CA with an account that has Domain Admin privileges open the Certification Authority utility and expand the tree as before. Right click on the Certificate Templates folder and select New > Certificate Template to Issue from the menu.The Enable Certificate Templates window will appear. Scroll down and select VMware SSL Certificate as created above and click OK.
The VMware SSL Certificate should then appear in the Certificate Templates folder.
Next up is installing Open SSL. This will be continued in Part 3