In a VMware Horizon for View environment (VMware’s VDI solution), View Connection servers are an important client facing component. A View Connection Server acts as a broker for client connections and for that reason VMware highly recommends that you replace the default SSL certificates which are generated during the installation of the Connection servers.
To help you with this job, VMware has a lot of useful documentation available, like:
- Horizon View Installation Guide, chapter 6 “Configuring SSL certificates for View Servers”, discusses many aspects related to configuring SSL certificates.
- Detailed information about obtaining SSL certificates from a CA can be found in Scenarios for Setting Up SSL Certificates for View.
For each View Connection server you should perform these basic tasks for setting up SSL Certificates:
- Generate a Certificate Signing Request
- Request a signed Certificate from a CA
- Import the signed Certificate
- Set up the imported Certificate for a View server
- Import Certificates on other View Servers
In the next sections I will show you the steps and some tips to step over some of the caveats.
Generate a Certificate Signing Request
We need to create a Certificate Signing Request (CSR) for the environment; the certificate should be named something like: “workspace.company.com”.
On a View Connection Servers, create a request.inf file. Replace the CN with “workspace.company.com” and adjust the other subject attributes. Make sure the KeyLength is at least 2048 and save the file as request.inf in a new folder c:\certificates.
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" KeySpec = KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=22.214.171.124.126.96.36.199.1 ; this is for Server Authentication ;-----------------------------------------------
Open a command prompt, cd to the folder c:\certificates and run the following command:
> certreq -new request.inf certreq.txt
Request a signed Certificate from a CA
Procedures requesting a signed certificate may differ. Ultimately, you will receive the requested signed certificate file (.crt file), the accompanying root certificate and if applicable one or more intermediate CA certificates. Depending on your CA, certificates come in various formats. More on this subject, later in this post.
Import the signed Certificate
In my case, I have created the Certificate Signing Request on one of the Connection Servers. So we will import our new certificate on this server.
- In the MMC window on the Connection Server host, expand the Certificates (Local Computer) node and select the Personal
- In the Actions pane, go to More Actions > All Tasks > Import.
- In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
- Select the certificate file and click Open.
We can now finish the import. Because the accompanying Private Key is already stored on this server, there will be no password request.
Repeat the import procedure for the root and intermediate certificates. Root certificate must be stored under Trusted Root Certification Authorities.
Intermediate Certificates, under Intermediate Certification Authorities.
Set up the imported Certificate for a View server
To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.
You do not have to modify the Friendly name of SSL certificates that are used by View Composer.
There should be just one certificate with Friendly name vdm.
Right-click a certificate and Select Properties. On the General tab, delete the Friendly name text or edit to vdm (depending on the certificate).
Important: after importing certificates, do not forget to restart the Service “VMware Horizon View Connection Server”.
Now check in the View Administrator, the connection server should show a nice green color.
In case you see this Status message: “Server’s certificate subject name does not match the server’s External URL.”, have a look at http://kb.vmware.com/kb/2021432 for the solution.
Import Certificates on other View Servers
On several occasions, I have noticed that a “workspace.company.com” certificate is used on multiple connection servers. To import the certificate on another server, we need to export the certificate and it’s private key to a .pfx format
After importing the key we will verify that the new certificate contains an exportable private key.
- Double-click the certificate and verify that the following statement appears in the Certificate Information dialog box: You have a private key that corresponds to this certificate..
- To verify that the private key is exportable, Open the Certificate, go to tab Details.
Button Copy to File… In the Welcome to the Certificate Export Wizard, Next.
In the Export Private Key window, the Yes, export the private key field should be selectable and not be greyed out.
- Next and in the Export File Format Window, option Personal Information Exchange – PKCS #12 (.PFX) is preselected. Make user to tick options Include all certificates in the certification path if possible and Export all extended properties. Do NOT select Delete the private key….
- Next, in the Security window, to protect your export file, tick Password and provide a password.
- Next, in the File to Export window, provide a filename and location to store the export file.
- Finish the export.
The resulting .pfx file icon shows an opened envelope with a certificate and the yellow key. Now you are ready to import the certificates and corresponding key.
Follow the same procedure as in the section Import a signed Certificate.
Document Scenarios for Setting Up SSL Certificates for View. Section “Convert a Certificate File to PKC#12 format”, describes a method using the OpenSSL toolkit for converting certificates.
Important: You do not have to import the root certificate into View Composer, vCenter Server, or security server hosts.
If you configure a new SSL certificate after you install View Composer, you must run the SviConfig
ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer. This utility unbinds the existing certificate and binds the new certificate to the port.
This utility can be found in the folder:
C:\Program Files(x86)\VMware\VMware View Composer\sviconfig.exe
Run as: sviconfig -operation=ReplaceCertificate -delete=false
Option –delete=false, keeps the old certificate
This post is the sixth post in a series about implementing CA signed SSL certificates in a vSphere environment.