VCF Certificate Authority Integration

If you have ever had to manually change the certificates in a vSphere environment, you’ll appreciate the automation VMware Cloud Foundation (VCF) provides. After connecting the VCF SDDC Manager to a Microsoft CA server, you are a few clicks away from being able to rotate the certificates for various VMware products.

Establishing the connection to the Microsoft CA server, however, requires that the Microsoft CA server is configured properly. Today, I’ll walk through the steps required to configure a Microsoft CA for use with VCF.

To begin, we’ll need a Microsoft Windows Server instance. I will use a Microsoft Windows Server 2016 instance for the examples and screenshots today. Other variations may differ slightly, but the overall process is similar.

Architecturally speaking, there are many different configurations one could have for their infrastructure components. For the purposes here, I will have a single MS Win2K16 server that I will configure to act as an AD server and a CA server. This suits my needs in my home lab.

Deploy the MS Win2K16 instance as you would normally. Of course, I’m going to use a virtual machine and I’ll call the instance ‘new-ad’.

Once deployed, assign a static IP address to the server. Change the system name so that it matches what you will have in your DNS. When you change the computer name, you’ll have to reboot the system. After this is performed, check that the system can resolve its FQDN and IP address.

 Now we can start adding the features that we will need. To start, I will add the Active Directory Domain Services feature. Go ahead and accept the defaults when it asks if you want to install the management tools as well.

After the feature has been installed, you will notice a message prompting you to configure the Active Directory Domain Services. Go ahead and start the configuration process.

In my case, I selected the option to create a new forest. Services for DNS were automatically selected for installation. In my lab, I already had a DNS server and I didn’t need to setup a delegation. As a result, I just accepted the warning messages and continued on.

Complete the AD DS configuration wizard and reboot the system. Once the system is back online, add the Certificate Authority feature.

When you add the Certificate Services, there are two important things to make sure you select. The first is that you want to ensure that you add both the Certificate Authority and the Certificate Authority Web Enrollment roles. The later will prompt you to also install IIS, which will provide the web front end to the CA.

The second is that you need to ensure Basic Authentication is selected. This is one of the most commonly overlooked steps when configuring a MS CA server for use with VCF.

Complete the wizard and wait for the service to be successfully installed. Notice that you can start the CA configuration at this time.

The configuration of the CA is pretty straight forward. Two things to keep in mind here:

  • Select the option to install as a Enterprise CA
  • Select the option to make this the root CA

This is what the review screen looked like in my environment:

At this point, you need to verify that you can access the CA web page. Using a browser, go to http://<CA server FQDN>/certsrv

You should see a page like this:

If you don’t see this page, you need to resolve this before you continue. For example, in my setup, I wanted to use a different DNS server. However, during the installation of the DNS service the DNS servers specified for my network connection were replaced with Hence, resolution of the name on the local server wouldn’t work.

Once you have verified that you have things working to this point, we now need to create a template to be used. The process for doing this is documented in KB Article 2112009, specifically the section entitled: Creating a new template for vSphere 6.x to use for Machine SSL and Solution User certificates

I will deviate only slightly from these instructions and will call the template ‘VMware’. Make sure you not only follow the steps to create the template, but also to activate the certificate.

When you finish, you should see the VMware template listed under the Certificate Templates using the certsrv.msc as shown below:

Now that the template is ready, we have to enable Basic Authentication in order for the SDDC Manager to successfully connect to the CA server. To do this, start the Internet Information Services (IIS) Manager. Drill down on the left-hand side to the CertSrv under the Default Web Site. Double click on Authentication and look at the status for Basic Authentication. It should so as ‘Disabled’ at this time. Go ahead and enable it and verify that the status changes to ‘Enabled’.

At this point, all the needed configuration on the Microsoft side is completed. Now we just need to configure the SDDC Manager. Login to the SDDC Manager and navigate to the Security -> Certificate Management page.

Here you will Edit the properties and enter in all the required information. Once you select ‘Save’ you will see a green bar that informs you that the CA configuration was successfully saved.

If you do not see this, check the /var/log/vmware/vcf/operationsmanager/operationsmanager.log file to get more information about what the issue may be.

Now you can follow the process to replace the certificates through the SDDC Manager. Before you begin, you might want to look at the simulator at This steps you through the process for replacing the certificates.