Certificate Template – Scott's Tech Blog

Modify Default Policy for Automatic Certificate Request (Group Policy)

December 22, 2025 | ADCS, Certificate Services, Certificate Template, Microsoft | No Comments

Greetings, today we are going to modify the Default Policy Group Policy Object to set domain member computers to automatically request a machine certificate.

This assumes you already have a Domain and Certificate Services setup and ready to use for this. If you need to setup your domain or certificate services still, please refer to my other posts for steps to do so.

Click start and type Group and then select Group Policy Management

Expand Forest, Domains, lab, then right-click Default Domain Policy then select Edit

Expand Computer Configuration, Policies, Windows Settings, Security Settings, then click on Public Key Policies

Double-click on Certificate Services Client – Certificate Enrollment Policy. Change Configuration model from Not Configured to Enabled. Leave the defaults and select OK

Double-click Certificate Services Client – Auto-Enrollment and change Configuration Model from Not Configured to Enabled. Then check the Renew expired certificates and Update certificates check blocks. Select OK

Go to a server you can test with, right-click start, then select Windows PowerShell (admin)

Type in “gpupdate /force” and hit enter

Click start and type in certlm.msc, then select the result

Expand Personal and Certificates, you should now see the appropriate certs for your system.

Congrats, you now have a default setup to get certs out to your clients. Have a good one.

Create Certificate Template for VMware Certificate Authority

December 13, 2025 | ADCS, Certificate Services, Certificate Template, Homelab, Microsoft, VCF, VMware | No Comments

Greetings, this time we are going to be creating a Certificate Template for VMware Certificate Authority (VMCA). This would allow you to use VMCA to issue certificates for your VMware environment.

This is based on the following article:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere

Open Certificate Authority

Select Certificate Authority

Create Certificate Template

Expand Root-CA01, then right-click Certificate Templates and select Manage

Find and right-click the Subordinate Certification Authority, then select Duplicate Template

Change Certification Authority to Windows Server 2012 and Certificate Recipient to Windows 7/Server 2008 R2

Go to the General Tab and enter your preferred name for the Template. I would recommend a name that indicates its purpose.

Also select Publish certificate in Active Directory

Go to the Extensions tab, select Basic Constraints, click Edit and make sure that Make this extension critical is enabled. Select OK if changes were made, choose cancel if not.

Go down to Key Usage, click Edit and verify that Digital signature, Certificate signing, and CRL signing are all enabled. Also check to make sure Make this extension critical is enabled as well.

Click OK if changes were made, cancel if not.

Select OK

Authorize Template to be issued

Go back to Certificate Management, right-click Certificate Templates, hover over New, and Select Certificate Template to Issue

Scroll down to VMware VMCA (or whatever it may have been named) and select OK

Note: This is a subordinate Certificate Authority Level CA. Guard usage of this template very careful as misuse\unintended issue can cause significate issues if control is lost of it.

Now you have your certificate template to issue certs from VMware Certificate Authority. Have a good one.