How to add SSL certificates to VMware Horizon View environment.

WMware made a huge step forward with their VMCA, but unfortunately, VMCA covers only Platform Service Controller, vCenter and ESXi hosts. I hope that they will cover this issue in the next release of VMCA/Horizon View. The first step is to create SSL certificate signing requests. Of course, your PKI infrastructure must be in place before you can get SSL certificates. Here I will show how to generate both certificate requests and SSL certificates, prepare them and import them in VMware Horizon View environment.

To generate SSL signing request and generate SSL certificate, we will use Windows command line tool and an inf file with required information about Horizon View server. Before proceeding make sure that you have proper SSL certificate template that includes that keys are exportable and that certificate is to be used for server and client authentication.

Here is an example of mine inf file for Horizon View Connection servers:

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=v-srv-con01.sefnet.local, OU=IT, O=SEFNET, L=DK, S=DK, C=DK"
; Replace View_Server_FQDN with the FQDN of the View server.
; Replace the remaining Subject attributes. 
KeySpec = 1 
KeyLength = 2048 
; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
; of 1024 is also supported, but it is not recommended. 
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=view.sefnet.local&"
_continue_ = "dns=v-srv-con01.sefnet.local&"
_continue_ = "dns=v-srv-con01&"
_continue_ = "ipaddress=10.100.100.101&"

;-----------------------------------------------

Create a new file using Windows Notepad, paste the above lines and save it as v-srv-con01.inf under C:\Certificates\v-srv-con01 folder. Now we will create a Windows batch file with all necessary commands to create request, process it and save signed certificates to the correct location. Note that you can generate all requests and process all certificates from a single machine as long as you have necessary access to your PKI infrastructure.

Create a new file using Windows Notepad and insert the following lines:

CD C:\Certificates\v-srv-con01
certreq -new -attrib "CertificateTemplate:VMwareServerTemplate" v-srv-con01.inf v-srv-con01.CSR
certreq -submit -config "v-srv-pki01.sefnet.local\SEFNETIssuingCA01" v-srv-con01.CSR v-srv-con01.cer
certreq -accept v-srv-con01.cer

Basically we create certificate singing request, process the request on our issuing CA and save the signed certificate under Private folder of the local machine account. When you open the Certificate store using MMC, you will see that you now have 3 new certificates, your Root CA, Issuing CA, and the server certificate. Move Root CA to the Trusted Root Certification Authorities, Issuing CA to the Intermediate Certification Authorities and keep your server certificate in place. Now right click server certificate and select Properties and under Friendly name write vdm, then click OK.

Copy the v-srv-con01 folder and paste it in place making folders v-srv-con02 and v-srv-com01. Edit respective files under both folders to reflect the path and server names. Note that for v-srv-com01 (Composer server), you do not need line _continue_ = “dns=view.sefnet.local&”, remove it and save the file. When you run the batch file for the second connection server, your server certificate will also appear under the Personal folder on the first connection server. Right click certificate for the second connection server, select All Tasks and then Export. Make sure to export Private Key as well as Extended Properties, chose password and location of the file and save it as a pfx file. Move/Copy the exported certificate to the second connection server and double click the pfx file, type your password and import certificate to the Private store. Again, move Root CA and Issuing CA to the respective stores, right click server certificate, select Properties and under Friendly name write vdm, then click OK. Restart VMware View Connection service on both servers, and confirm using View Administrator portal, that both servers are using valid SSL certificates.

Note that I use 2 connection servers. In this scenario, I am using DNS Round Robin as loadbalancing, and therefor it is crucial that the inf file for both connection servers contain line _continue_ = “dns=view.sefnet.local&” as clients are connecting to view.sefnet.local and not directly to a single server. You can also create a single certificate for both connection servere using a single inf file containing information about both connection servers. In that case,  section of the file would look like this:

2.5.29.17 = "{text}"
_continue_ = "dns=view.sefnet.local&"
_continue_ = "dns=v-srv-con01.sefnet.local&"
_continue_ = "dns=v-srv-con01&"
_continue_ = "ipaddress=10.100.100.101&"
_continue_ = "dns=v-srv-con02.sefnet.local&"
_continue_ = "dns=v-srv-con02&"
_continue_ = "ipaddress=10.100.100.102&"

Export and import the composer certificate using the same procedure described above. Once done, stop the VMware Composer service and open Windows Command Prompt. Navigate to C:\Program Files (x86)\VMware\VMware View Composer and execute the following command:

sviconfig -operation=replacecertificate -delete=true

Once the operation is complete, start VMware View Composer service and confirm using View Administrator, that composer server is using valid SSL certificate.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.