Creating a Service Account for Certificate Management with VMware Cloud Foundation

Whilst working with VMware Cloud Foundation recently I wanted to implement an additional level of security around the process of certificate management. For those that don’t know in the current release in order to integrate SDDC Manager with your Microsoft Certificate Authority you have to enable basic authentication (see PowerVCF – Configure the Microsoft Certificate Authority for VMware Cloud Foundation Integration (Part 1)) on reviewing the official documentation I found nothing to explain the minimum requirements as is it related to least privilege access so I set about trying to figure it out.

What I found is that it is indeed possible but it has to be done in two specific locations as follows:

Microsoft Certificate Authority Server
Microsoft Certificate Authority Template

Let’s now take a look at what you need to do. In this example I’m using a dedicated service account called svc-mgr-ca which is just a Domain User.

Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.
Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority.
- Click Start > Run, enter certsrv.msc, and click OK.
- Right-click the certificate authority and click Properties.
- Click the Security tab, and click Add.
- Enter the svc-mgr-ca service account and click OK.
- In the Permissions for svc-mgr-ca section configure the following permissions and click OK.

Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority Template.
- Click Start > Run, enter certtmpl.msc, and click OK.
- Right-click the VMware template and click Properties.
- Click the Security tab, and click Add.
- Enter the svc-mgr-ca service account and click OK.
- In the Permissions for svc-mgr-ca section configure the following permissions and click OK.