How to Configure vSphere Certificates with Windows Server 2022 CA Integration

In modern IT environments, securing VMware vSphere environments with trusted certificates is essential to avoid browser warnings, ensure encryption, and meet compliance. This blog will guide you step-by-step on how to configure vSphere certificates by integrating VMware vCenter Server with a Windows Server 2022 Certificate Authority (CA).

Whether you’re running vCenter 7.x or 8.x, this guide is designed for system administrators who are looking to replace self-signed certificates with those issued by an internal Microsoft CA.

Why Replace Default vSphere Certificates?

Out of the box, vSphere uses self-signed SSL certificates, which:

• Trigger browser security warnings.
• May not comply with internal enterprise security policies.
• Can lead to trust issues in automated scripts or integrations.

Replacing them with CA-signed certificates from Windows Server 2022 ensures:

• Trust across internal endpoints.
• Improved security posture.
• Enhanced automation and service reliability.

🛠️ Prerequisites

Before we begin, make sure the following is ready:

• ✅ vCenter Server 7.x or 8.x
• ✅ Windows Server 2022 with the Active Directory Certificate Services role installed
• ✅ Enterprise or Standalone CA configured
• ✅ Administrative access to both Windows Server and vCenter
• ✅ OpenSSL installed (optional, for CSR creation)

🧾 Step 1: Configure the Windows Server 2022 CA

Install Certificate Services

• Open Server Manager → Add Roles → Select Certification Authority
  This means:
  • On your Windows Server, open the Server Manager.
  • Choose Add Roles and Features to add new server roles.
  • Select Active Directory Certificate Services (AD CS), specifically the Certification Authority role. This role lets your server act as a CA to issue digital certificates.
• Choose Enterprise CA → Root CA
  When installing the CA role, you have choices:
  • Enterprise CA: Integrates with Active Directory, good for internal company use.
  • Standalone CA: Not integrated with AD, more manual.
  • Root CA: The top-level CA that signs all certificates in your internal hierarchy.

So here, you’re installing an Enterprise Root CA — your own internal trusted authority.

2. Configure Certificate Templates

Open certtmpl.msc
This launches the Certificate Templates Console, where you manage templates for different kinds of certificates.

Duplicate the Web Server template
The Web Server template is a default template used for SSL certificates (for HTTPS websites).
You duplicate it because you want a customized version (without changing the default one).

Name it vSphere-SSL
Give your new template a clear name so it’s easy to identify—here, for vSphere SSL certificates.

Allow the following:

Subject Name: Supply in request
This setting means the entity requesting the certificate (e.g., a vSphere server) provides the subject name (like the domain name) when requesting the certificate, instead of the CA auto-generating it.

Allow Client Authentication and Server Authentication
These are key usage flags that specify the certificate can be used both for:

• Server Authentication (like securing HTTPS connections)
• Client Authentication (for clients that need to authenticate themselves to servers)

• Publish the template in the CA
  After creating the new template, you must make it available on the CA server so it can be issued.

3. Ensure Web Enrollment is Installed (optional but useful for testing CSR)

• Web Enrollment is a feature you can add to your CA that provides a web interface for users or admins to submit Certificate Signing Requests (CSRs) and download issued certificates.
• It’s optional, but very useful if you want to manually test certificate requests through a browser rather than command-line or scripting.

🧾 Step 2: Generate a Certificate Signing Request (CSR) from vCenter

Step-by-step explanation:

Log in to the vCenter VAMI interface

• You open a web browser and go to:
  https://<vcenter-IP>:5480
  where <vcenter-IP> is the IP address of your vCenter Server.
• VAMI stands for vCenter Appliance Management Interface. It’s a special web interface for managing vCenter appliance settings, separate from the main vSphere Client.

Go to TLS Certificate → Select Generate CSR

• Inside the VAMI interface, look for a section related to TLS Certificate management.
• Choose the option to Generate CSR — this starts the process to create a Certificate Signing Request.

Enter the required information When generating a CSR, you have to provide details that will be part of the certificate:

• Common Name (CN): This is the fully qualified domain name (FQDN) that clients will use to connect to your vCenter.
  Example: vcenter.vmorecloud.com
• Organization (O): Your company’s legal name.
• Organizational Unit (OU): The department or division within your organization.
• Country (C): The two-letter country code (like US, IN, GB).

These fields ensure the certificate properly identifies your organization and vCenter server.

Save the CSR file to your machine

• Once generated, the CSR will be a file (usually .csr or .pem).
• Download and save this file locally.
• You will send this CSR to a CA (either your internal CA or a public CA) to get a signed SSL certificate.

Why do this?

Your vCenter server needs an SSL certificate to secure HTTPS communication. The CSR is the request you send to the CA to get this certificate issued.

🧾 Step 3: Submit CSR to Windows Server 2022 CA

1. Log in to the Windows Server 2022 CA web portal:
   http://<CA-Server-Name>/certsrv
2. Click Request a Certificate → Advanced Certificate Request.
3. Choose:
   • Submit a base64-encoded CSR
   • Select the template: vSphere-SSL
4. Download the issued certificate in Base64 format along with the CA root chain if needed.

🧾 Step 4: Import the Signed Certificate into vCenter

1. Go back to the vCenter VAMI interface (https://<vcenter-IP>:5480).
2. Choose Import Certificate.
3. Upload:
   • Signed Certificate
   • Private Key (if requested)
   • Root and Intermediate CA chain
4. Click Apply and Restart Services.

🧪 Step 5: Verify Certificate Installation

• Open your browser and access your vCenter using its FQDN:
  https://vcenter.yourdomain.com
• Click on the padlock icon to inspect the certificate:
  • Issuer: Windows Server 2022 CA
  • Valid for: 1 year (or based on your CA template)
  • No browser warnings

✅ Best Practices

• 🔁 Schedule automatic certificate renewals if using SCEP or similar.
• 🔒 Use strong key sizes (2048-bit or higher).
• 🔄 Regularly backup your CA and vCenter configurations.
• 👥 Maintain centralized documentation for issued certs and expiration dates.

🏁 Conclusion

You’ve now successfully configured vSphere SSL certificates using Windows Server 2022 Certificate Authority. This improves not only your vCenter’s security posture but also removes trust issues across your VMware infrastructure.

Replacing default vSphere certificates is a critical step in achieving a secure and enterprise-compliant vSphere environment.

80%

Awesome

• Design