Creating a Service Account for Certificate Management with VMware Cloud Foundation

calendar Feb 10, 2020 · 2 min read · VCF  ·
Share on: linkedin copy

Whilst working with VMware Cloud Foundation recently I wanted to implement an additional level of security around the process of certificate management. For those that don't know in the current release in order to integrate SDDC Manager with your Microsoft Certificate Authority you have to enable basic authentication (see PowerVCF – Configure the Microsoft Certificate Authority for VMware Cloud Foundation Integration (Part 1) on reviewing the official documentation I found nothing to explain the minimum requirements as is it related to least privilege access so I set about trying to figure it out.

What I found is that it is indeed possible but it has to be done in two specific locations as follows:

Let's now take a look at what you need to do. In this example I'm using a dedicated service account called svc-mgr-ca which is just a Domain User.

Configure Microsoft Certificate Authority Server

  • Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client.
  • Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority.
    • Click Start > Run, enter certsrv.msc, and click OK.
    • Right-click the certificate authority and click Properties.
    • Click the Security tab, and click Add.
    • Enter the svc-mgr-ca service account and click OK.
    • In the Permissions for svc-mgr-ca section configure the following permissions and click OK.

Configure Microsoft Certificate Authority Template

  • Configure least privilege access for svc-mgr-ca on the Microsoft Certificate Authority Template.
    • Click Start > Run, enter certtmpl.msc, and click OK.
    • Right-click the VMware template and click Properties.
    • Click the Security tab, and click Add.
    • Enter the svc-mgr-ca service account and click OK.
    • In the Permissions for svc-mgr-ca section configure the following permissions and click OK.

Now you should be able to configure SDDC Manager to use the svc-mgr-ca service account and perform all certificate operations.

If you would like to learn more about VMware Cloud Foundation or PowerVCF, check out these links:

Posts in this Series