Thursday, August 27, 2015

Demystifying Horizon View Certs - Easily install a signed certificate

Horizon View certs giving you a headache? Follow this post to take away the complication and get those servers green! This post will cover installing certs for all versions of VMware View (Horizon).

Disclaimer: This post is based off KB 2068666
Generate the Certificate Request

We'll be using the Microsoft Management Console (MMC) Certificates Snap-in.

  1. From your Connection Server or some other Windows Server click Start > Run > MMC

  2. Click File > Add/Remove Snap-in...
    add-snap-in

  3. Highlight Certificates and click Add >
    add-snap-in

  4. Choose  Computer account and click Next

  5. Choose Local Computer > Finish
    snap-in2

  6. Ensure you see Certificates (Local Computer) under Selected snap-ins and click OK

  7. Expand Certificates (Local Computer) and right click Personal > All Tasks > Advanced Operations > Create Custom Request
    create-custom-request

  8. Per the splash screen, verify the computer is connected to the network and you have credentials that can be used to verify your right to obtain the certificate and click Next

  9. Under Custom Request, highlight Proceed without enrollment policy and click Nextenrollment-policy

  10. Select No Template Legacy key from the drop down and ensure PKCS #10 is selected. Click Next
    enrollment-policy2

  11. Expand Details and click Properties
    request-properties

  12. On the General tab, type vdm for the Friendly name
    vdm

  13. Click the Subject tab and enter the below values

Common NameValue = FQDN of View ServerClick on Add Button
CountryValue = (2 Letter Country Code, e.g., US)Click on Add Button
LocalityValue = (Your City Location)Click on Add Button
OrganizationValue = (Your Company)Click on Add Button
Organization UnitValue = (Department, e.g., IT)Click on Add Button
StateValue = (2 Letter State Code, e.g, CA)Click on Add Button

cert-properties



  1. Click the Private Key tab > Click on Key Options Details > Select Keysize 2048

  2. Check the box for Make private key exportable and click Ok > Next
    exportable

  3. Save the file as a .req
    certreq

  4. Provide this certreq.req file to your Certificate Authority per their requirements.

Installing the Certificate

Once the 3rd Party CA has provided you the certificate, download the necessary files (in most cases this would be the Tomcat/P7B/bundle provided by the CA). If they provide host, intermediate, and root certs, download all 3 files. Now we'll launch MMC on the Connection Server to install the cert.

  1. Assuming the MMC console is still open and the cert snap-in is enabled, expand Certificates (Local Computer) > Personal > Certificates

  2. Right click and choose All Tasks > Import
    Import

  3. Select the cert bundle you downloaded
    Picture1NOTE: Make sure that whenever you're prompted you choose:

    • Yes to Mark the Private Key Exportable

    • Yes to all extended properties

    • Yes to all certificates in the certification path

  4. Choose Automatically select the certificate store based on the type of certificate and click Next
    Picture3

  5. Finish the Import wizard.

NOTE: If importing a PFX file, you will be prompted for the private key password. Check both boxes to mark as exportable and include all extended properties
Picture2


Important: Completing the certificate installation

If you're on View 5.1 or later, you're done! All you need to do is restart the View Connection Server Service for it to pick up the new certificate. After the service starts, wait up to 5 minutes before the View Admin page reflects the Green status.

If you're on View 5.0.x or earlier, you must now export the cert as a PFX from the MMC console, place into the local SSL directory, and update your locked.properties file with the cert's path.

  1. Copy the PFX you exported to the SSL Gateway directory on the Connection Server (usually install_directory\VMware\VMware View\Server\sslgateway\conf)

  2. Edit locked.properties in the same directory to contain the PFX file name and password you set during export (if you don't have a locked.properties file, you'll need to create it)
    keyfile=key.pfx
    keypass=secret

  3. Restart the Connection Server service

If this post helped you get your cert installed, let me know in the comments! Good luck!
Share:

3 comments:

  1. […] previously written about how to easily install a signed certificate. Long story short—if you have Knowledge Base (KB) 2068666on hand prior to attempting your […]

    ReplyDelete
  2. […] previously written about how to easily install a signed certificate. Long story short—if you have Knowledge Base (KB) 2068666on hand prior to attempting your […]

    ReplyDelete
  3. […] previously written about how to easily install a signed certificate. Long story short—if you have Knowledge Base (KB) 2068666on hand prior to attempting your […]

    ReplyDelete