Updated: Here is the link to actually configure the certificates: Configure Microsoft CA Templates for VMware with SHA2-256
Now I realize that certificates are good and great and they keep our stuff from flying around the web in clear text, but I hate them and I also hate doing them for VMware.
Basically every KB article that VMware has for certificates just sucks. I have tried to get them updated and I have had no luck.
All of the articles are happy go lucky if you are on Windows 2003 with SHA1 in the most insecure environment ever, but I’m not.
This is what I have:
Windows 2012R2 AD controllers
Windows 2012R2 CA with SHA2 256 with a 2048 bit key
This is the KB I used: VMware KB: 2112009
First of all, the video they included in the KB doesn’t match the god damn instructions. It just tells you to select “Windows 2008 Enterprise” for backwards compatibility.
Well guess what…the article references both Windows 2003 enterprise and Windows 2008 enterprise. Neither of those are real options. Its Windows XP/2003 or Windows 2008.
They are also referencing the CA OS only. What about the certificate recipient?! Is everything VMware just backwards compatible with 2003? Well that doesn’t seem secure at all.
Next the article goes on to say this: Note: If you have an encryption level higher than SHA1, select Windows Server 2008 Enterprise.
Oh really? Well it didn’t work for me. Also there are two options. The certificate authority and the certificate recipient. WHICH ONE ARE YOU TALKING ABOUT?
Jesus…Yeah I’m kind of mad. VMware needs some QA on their articles for sure.
Now I will admit…I probably don’t know as much about CAs and Certs that I should, but KB articles are for the uninformed people aka Knowledge Base. Not the people who know everything.
I have actually resolved the issue and I have posted a link at the top of this article.