Creating Microsoft CA templates for certificates in vSphere 6.0

vSphere 6 certificate implementation is much easier than vSphere 5.x thanks to a lot of changes made by VMware. I wrote a previous article on how to replace the Machine SSL certificate, use VMCA as a subordinate CA, and ESXi 6.0 certificate replacement. From my experience, a majority of our customers are using Microsoft for their internal Certificate Authority. One thing I wanted to document for everyone is how to properly create Microsoft CA templates to sign the Certificate Signing Requests (CSRs). There are a few different templates to create, depending on what certificates you are replacing.

Template for Machine SSL certificate

Note: You can use these same steps to create Solution User Endpoint Certificates.
Step 1. First, log into your CA server as an administrator and navigate to Start and type certmpl.msc This will open up the Certificate Templates Console where you can manage the various templates for which you sign your certificates.
Step 2. Next, you will clone a template to use, the one that most closely matches VMware’s requirements is the Web Server template. Right click on the template and select Duplicate Template. When prompted, you will select Windows Server 2003 enterprise. I noticed that when I clone a template as Windows 2008 it doesn’t show up when signing the certificate.
Step 3. Provide a Template display name. Then click on the Extensions tab.
Step 4. Click Application Policies then click Edit. Highlight Server Authentication and select Remove then hit OK.
Step 5. Select Key Usage then click Edit. Click the checkbox next to Signature is proof of origin (nonrepudiation) then hit OK.
Step 6. Click OK again to finish the template creation. You should now see a new template created. If you are not creating a template for VMCA as a subordinate CA, go ahead and skip to the very bottom to assign the templates for usage.

VMCA subordinate CA template

Step 1. Duplicate the Subordinate Certification Authority, and ensure to use a Windows 2003 template as in the previous section. Provide a Template Display Name and .. Important: make sure to check in Publish certificate in Active Directory
Step 2. Click on the Extensions tab and then edit Key Usage. Ensure Digital Signature, Certificate signing, CRL signing and Make this extensions critical are checked. By default, these should already be checked, but it’s important to confirm. Finally, go ahead and click OK to create the template.

Assign template for usage

Finally, you will need to assign these templates for use. This will need to be done for both the templates you have created. If you don’t do this step, you will not be presented with the templates you created as an option when signing the CSR files. To complete this step you will need to open the Certificate Server gui by navigating to Start and typing certsrv.msc. Once that is open, expand out the CA Server and right click Certificate Templates and select New -> Certificate Template to Issue.
Select the certificates that you created, then click OK. You are able to select multiple certificates so feel free to do them both in one step.

Posted by:

Sean Whitney


  1. Newsletter: May 30, 2015 | Notes from MWhite -  May 31, 2015 - 1:08 pm 122

    […] Microsoft CA Templates for certificates in vSphere 6 Another useful technical article from this new blog author.  If I understand things right – I am a neophyte in working with […]

  2. Joseph Green -  January 11, 2016 - 8:34 am 367

    Great blog, solid articles and research. I am subscribing.

  3. PeteLong -  May 26, 2016 - 4:30 am 486

    Hi Sean,

    If you forget to tick the publish in AD box, you can publish an issued certificate manually like so…

    certutil -dspublish -f C:\VC-01-SubCA.cer RootCA (or SubCA!)
    certutil –addstore –f root C:\VC-01-SubCA.cer


  4. Ravi Kumar Raj -  April 5, 2017 - 2:03 am 581

    The correct command should be “certtmpl.msc” instead of “certmpl.msc”.



Leave A Comment

Your email address will not be published. Required fields are marked (required):

Back to Top