Implementing CA signed SSL certificates with vSphere 5.x – Part 6 – Horizon View

In a VMware Horizon for View environment (VMware’s VDI solution), View Connection servers are an important client facing component. A View Connection Server acts as a broker for client connections and for that reason VMware highly recommends that you replace the default SSL certificates which are generated during the installation of the Connection servers.

To help you with this job, VMware has a lot of useful documentation available, like:

For each View Connection server you should perform these basic tasks for setting up SSL Certificates:

  1. Generate a Certificate Signing Request
  2. Request a signed Certificate from a CA
  3. Import the signed Certificate
  4. Set up the imported Certificate for a View server
  5. Import Certificates on other View Servers

In the next sections I will show you the steps and some tips to step over some of the caveats.

Generate a Certificate Signing Request

We need to create a Certificate Signing Request (CSR) for the environment; the certificate should be named something like: “workspace.company.com”.

On a View Connection Servers, create a request.inf file. Replace the CN with “workspace.company.com” and adjust the other subject attributes. Make sure the KeyLength is at least 2048 and save the file as request.inf in a new folder c:\certificates.

;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$
[NewRequest]
Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"
KeySpec = 
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------

 

Open a command prompt, cd to the folder c:\certificates and run the following command:

> certreq -new request.inf certreq.txt

 

Request a signed Certificate from a CA

Procedures requesting a signed certificate may differ. Ultimately, you will receive the requested signed certificate file (.crt file), the accompanying root certificate and if applicable one or more intermediate CA certificates. Depending on your CA, certificates come in various formats. More on this subject, later in this post.

 

Import the signed Certificate

In my case, I have created the Certificate Signing Request on one of the Connection Servers. So we will import our new certificate on this server.

  1. In the MMC window on the Connection Server host, expand the Certificates (Local Computer) node and select the Personal
  2. In the Actions pane, go to More Actions > All Tasks > Import.
  3. In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.
  4. Select the certificate file and click Open.

We can now finish the import. Because the accompanying Private Key is already stored on this server, there will be no password request.

Repeat the import procedure for the root and intermediate certificates. Root certificate must be stored under Trusted Root Certification Authorities.
Intermediate Certificates, under Intermediate Certification Authorities.

20151016-01            Figure 1

 

Set up the imported Certificate for a View server

To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.
You do not have to modify the Friendly name of SSL certificates that are used by View Composer.

There should be just one certificate with Friendly name vdm.

Right-click a certificate and Select Properties. On the General tab, delete the Friendly name text or edit to vdm (depending on the certificate).

20151016-02Figure 2

Important: after importing certificates, do not forget to restart the Service “VMware Horizon View Connection Server”.

Now check in the View Administrator, the connection server should show a nice green color.

In case you see this Status message: “Server’s certificate subject name does not match the server’s External URL.”, have a look at http://kb.vmware.com/kb/2021432 for the solution.

 

Import Certificates on other View Servers

On several occasions, I have noticed that a “workspace.company.com” certificate is used on multiple connection servers. To import the certificate on another server, we need to export the certificate and it’s private key to a .pfx format

After importing the key we will verify that the new certificate contains an exportable private key.

  • Double-click the certificate and verify that the following statement appears in the Certificate Information dialog box: You have a private key that corresponds to this certificate..

20151016-03           Figure 3

  • To verify that the private key is exportable, Open the Certificate, go to tab Details.
    Button Copy to File… In the Welcome to the Certificate Export Wizard, Next.
    In the Export Private Key window, the Yes, export the private key field should be selectable and not be greyed out.

20151016-04           Figure 4

  • Next and in the Export File Format Window, option Personal Information Exchange – PKCS #12 (.PFX) is preselected. Make user to tick options Include all certificates in the certification path if possible and Export all extended properties. Do NOT select Delete the private key….

20151016-05           Figure 5

  • Next, in the Security window, to protect your export file, tick Password and provide a password.

20151016-06           Figure 6

  • Next, in the File to Export window, provide a filename and location to store the export file.
  • Finish the export.

The resulting .pfx file icon shows an opened envelope with a certificate and the yellow key. Now you are ready to import the certificates and corresponding key.

Follow the same procedure as in the section Import a signed Certificate.

Document Scenarios for Setting Up SSL Certificates for View. Section “Convert a Certificate File to PKC#12 format”, describes a method using the OpenSSL toolkit for converting certificates.

Important: You do not have to import the root certificate into View Composer, vCenter Server, or security server hosts.

If you configure a new SSL certificate after you install View Composer, you must run the SviConfig

ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer. This utility unbinds the existing certificate and binds the new certificate to the port.

This utility can be found in the folder:
C:\Program Files(x86)\VMware\VMware View Composer\sviconfig.exe

Run as: sviconfig -operation=ReplaceCertificate -delete=false
Option –delete=false, keeps the old certificate

This post is the sixth post in a series about implementing CA signed SSL certificates in a vSphere environment.

Part 1 – Introduction.

Part 2 – Obtaining Certificates.

Part 3 – Implementing CA signed SSL certificates for the vCenter Server Appliance

Part 4 – Implementing CA signed SSL certificates for the vCO/vRO

Part 5 – Implementing CA signed SSL certificates for ESXi and Automation

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: