Installing vCAC – Part 2: Certificates Prep and Configuration

When installing vCAC in a distributed / load balanced way it is not possible to use self-signed certificates to get everything working correctly (wildcard certs are not supported either).  Therefore, correct certificates have to be generated for your environment and then issued for the various vCAC components.  In a production environment the Public Key Infrastructure (PKI) would ideally be an Offline Root CA server with a second server provisioned as an Online Issuing Certificate Authority.  In my lab environment I don’t have the capacity for this so my online Domain controller will be an Enterprise Root CA. There wont be a secondary issuing server.  I will also assume that you are setting up a PKI for the first time and it’s not already installed

Step 1: Create A CAPolicy.inf File

Before installing Active Directory Certificate Services you can create a CAPolicy.inf file that defines certain default values you want the PKI to adhere to.  In my case i was strong encryption with long validity so I don’t ever have to worry about replacing anything later.

The file should be created as %windir%\CAPolicy.inf and contain the values you require.  In my case it looks like:

Signature="$Windows NT$" 



This specifies a key length of 4096 bit (strong) with a 40 year validity period and a 20 year period for Certificate Revocation Lists.  Delta CRLs are disabled for simplicity!

NOTE: I believe this file is only used if the GUI configuration of the CA is followed.  If using PS as below these settings need to be configured manually.

Step 2: Install Active Directory Certificate Services

I prefer to add features to Windows using PowerShell as it means I don’t have to keep clicking Next every few seconds. The commands I use going forward only work on Windows Server 2012 upwards (sorry).  If you are running 2008R2 or older you’ll have to install the roles and features the old way. Also note that the method below requires the server I am installing on be a Domain Controller.

To install AD-CS Open up a PowerShell Window (ensure it’s running as an administrator) and run the command:

SnapCrab_NoName_2015-2-26_16-35-0_No-00Install-WindowsFeature -name AD-Certificate -IncludeManagementTools

This will install the feature pretty quickly.  A progress bar will appear if the command works:

SnapCrab_NoName_2015-2-26_16-35-51_No-00Then, upon successful install, a confirmation message is shown:

SnapCrab_NoName_2015-2-26_16-36-7_No-00All this has done is install the feature.  The server still needs to be configured as an Enterprise Root CA.  Firstly we run the PS command below to setup the server as an Online Enterprise Root CA:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -KeyLength 4096 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 40 -CACommonName "LabDC01-EntRootCA" -CADistinguishedNameSuffix "DC=lab,DC=local" -CryptoProviderName "Microsoft Strong Cryptographic Provider"

Remember, you can use the –whatif switch to check that the command is valid and to see what it will do.

SnapCrab_NoName_2015-2-27_10-2-34_No-00There will be a confirmation dialogue (as show above), confirm the action and wait for the process to complete(almost instant).  The confirmation is odd (shown below). It looks like an error but isn’t

SnapCrab_NoName_2015-2-26_17-11-55_No-00Successful configuration at this point can be confirmed by opening Certificate Services:


Right clicking on the root server (should have a green tick by it) and selecting Properties and then View Certificate.


If all is well you should notice that, in the details tab, the Public Key field is set at 4096 and the validity period is indeed 40 years.SnapCrab_NoName_2015-2-26_17-16-45_No-00There is a little more configuration required to set up the publication URLs, CRLs and disable Delta CRLs.  The commands below need to be entered (modify for your use

certutil.exe –setreg CA\CRLPublicationURLs “1:C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.lab.local/pki/%3%8.crl”
certutil.exe –setreg CA\CACertPublicationURLs “2:http://pki.lab.local/pki/%1_%3%4.crt”
certutil.exe –setreg CA\CRLPeriodUnits 20
certutil.exe –setreg CA\CRLPeriod “Years”
certutil.exe –setreg CA\CRLDeltaPeriodUnits 0
certutil.exe –setreg CA\CRLDeltaPeriod “Days”
certutil.exe –setreg CA\CRLOverlapPeriodUnits 4
certutil.exe –setreg CA\CRLOverlapPeriod “Weeks”
certutil.exe –setreg CA\ValidityPeriodUnits 40
certutil.exe –setreg CA\ValidityPeriod “Years”
certutil.exe –setreg CA\DSConfigDN “DC=lab,DC=local”
Restart-Service certsvc
certutil -crl

As an example you should get output similar to the screenshot below if the commands complete successfully.SnapCrab_NoName_2015-2-27_10-30-27_No-00Now, if you check: C:\Windows\System32\CertSrv\CertEnroll You should see your root certificate all present and correct.

SnapCrab_NoName_2015-2-27_10-45-36_No-00Step 3: Creating A vCAC Specific Web Enrollment Template

Now, to be able to issue the correct type of certificates for vCAC (it has very specific requirements according to the docs) we need to create an new Certificate Template.  This done by launching the Certificate Authority utility on your issuing CA (In my case this is the Enterprise Root CA installed above).

Expand the Certification Authority tree and right click on Certificate Templates.  Now select Manage from the context menu.  This will open up the Certificate Templates Console. Scroll down the list and select Web Server. Right click and select Duplicate Template.  (Shown Below).

SnapCrab_NoName_2015-2-27_11-3-38_No-00The properties window will be displayed. Leave the compatibility level at Windows Server 2003 level and then select the General tab.

SnapCrab_NoName_2015-2-27_11-7-5_No-00In the general tab change the information to that shown below.  Specifically, make sure the Publish certificate in Active Directory check box is selected and that the validity periods are right for your environment (I don’t want to bother replacing them so have set it long).

SnapCrab_NoName_2015-2-27_11-7-57_No-00Now select the Extensions tab, select Key Usage and ensure the options shown below are checked.SnapCrab_NoName_2015-2-27_11-10-3_No-00Click OK and then, still in the Extensions tab, select Application Policies and then Edit.  Click add and then select Client Authentication and then OK.

SnapCrab_NoName_2015-2-27_11-14-33_No-00Click OK and close the Certificates Template Console. The certificate is now available  in AD and available to publish.

Step 4: Publish The New Web Enrollment Template

Still logged on to your Issuing CA with an account that has Domain Admin privileges open the Certification Authority  utility and expand the tree as before.  Right click on the Certificate Templates folder and select New > Certificate Template to Issue from the menu.SnapCrab_NoName_2015-2-27_11-17-32_No-00The Enable Certificate Templates window will appear.  Scroll down and select VMware SSL Certificate as created above and click OK.


The VMware SSL Certificate should then appear in the Certificate Templates folder.

Next up is installing Open SSL.  This will be continued in Part 3

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s