Configure Microsoft CA Templates for VMware with SHA2-256

So now that I have finished my rant, I will show you how to successfully configure a template for VMware certificates.

So for this you need to have a 2008+ Microsoft Certificate Authority installed and ready to go.

This is the VMware KB and it is incomplete:  VMware KB: 2112009

Open the Certificate Authority snap-in.

Right click on Certificate Templates and click Manage.

Right click on Web Server and click Duplicate.


Enter the names for the Template.

Select Windows 2008 for both options. (Not specific in the KB)

Check the box for Allow private key to be exported. (Not in the KB at all)

You need this if you are doing your CSRs through IIS since you will need the key.




Select Application Policies and click Edit.

Remove anything that is here.

This enables the certificate for ALL Purposes.

Click OK.

Select Key Usage and click Edit.

Check the box for Signature is proof of origin.

Check the box for Allow encryption of user data. (Not in the KB at all)

Click OK.

Default unless you have different security in your environment.


Make sure supply in the request is selected.



Now you have a template that will work perfectly with SHA2-256. Note: SHA2 higher than 256 is not supported by VMware as far as I can tell.


Leave a Reply