Creating a Service Account for Certificate Management with VMware Cloud Foundation

Whilst working with VMware Cloud Foundation recently I wanted to implement an additional level of security around the process of certificate management. For those that don’t know in the current release in order to integrate SDDC Manager with your Microsoft Certificate Authority you have to enable basic authentication (see PowerVCF – Configure the Microsoft Certificate Authority for VMware Cloud Foundation Integration (Part 1)) on reviewing the official documentation I found nothing to explain the minimum requirements as is it related to least privilege access so I set about trying to figure it out.

What I found is that it is indeed possible but it has to be done in two specific locations as follows:

  • Microsoft Certificate Authority Server
  • Microsoft Certificate Authority Template

Let’s now take a look at what you need to do. In this example I’m using a dedicated service account called svc-mgr-ca which is just a Domain User.

  • Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.
  • Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority.
    • Click Start > Run, enter certsrv.msc, and click OK.
    • Right-click the certificate authority and click Properties.
    • Click the Security tab, and click Add.
    • Enter the svc-mgr-ca service account and click OK.
    • In the Permissions for svc-mgr-ca section configure the following permissions and click OK.
  • Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority Template.
    • Click Start > Run, enter certtmpl.msc, and click OK.
    • Right-click the VMware template and click Properties.
    • Click the Security tab, and click Add.
    • Enter the svc-mgr-ca service account and click OK.
    • In the Permissions for svc-mgr-ca section configure the following permissions and click OK.

Now you should be able to configure SDDC Manager to use the svc-mgr-ca service account and perform all certificate operations.

If you would like to learn more about VMware Cloud Foundation check out these links:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s