Replacing SSL Certificates on View Connection Servers 5.0

This process does NOT work for VMWare View 5.1 only 5.0

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.

  1. Navigate to the following directory via command prompt (if running server 2008, make sure you run command prompt as an administrator):
    1. C:\Program Files\VMware\VMware View\Server\jre\bin
  2. Execute the following command to generate a new Java Keystore:
    1. keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore keys.jks -storepass secret
      1. Note: This will ask for your first and last name, type in your FQDN here (I.e. viewserver.mydomain.com); also hit RETURN to use the same password as your keystore password when you are done.
  3. Execute the following command to generate a CSR:
    1. keytool -certreq -file certificate.csr -keystore keys.jks -storepass secret
  4. Sign the certificate.csr file that was just generated with your certificate authority (GoDaddy, Verisign, Internal CA, etc.)
  5. Copy the signed .cer or .crt file that you just received from your CA to the same keytool directory
  6. Copy any root or intermediate public certificates to the same keytool direcotry
  7. Execute the following commands for each of your root and intermediate certificates
    1. Root CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias rootCA -file rootCA.cer
    2. Intermediate CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias intermediateCA -file intermediateCA.cer
  8. Execute the following command to import your public certificate for your certificate.csr file:
    1. keytool -importcert -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.cer
  9. Next, we need to configure a View Connection Server Instance or Security Server to use the new certificate
    1. Move the keys.jks file that we just created (C:\Program Files\VMware\VMware View\Server\jre\bin\keys.jks) to the following directory:
      1. c:\Program Files\VMware\VMware View\Server\sslgateway\conf\keys.jks
    2. Next, we need to add the keyfile, keypass, and storetype properties to the locked.properties file
      1. If the locked.properties file does not already exist,go ahead and create a new file with notepad.
      2. Once the locked.properties file is open, ensure the following lines are in it:
        1. keyfile=keys.jks
        2. keypass=secret
        3. storetype=jks
  10. Restart the View Connection Server service or Security Server service for your changes to take effect.
  11. Once you have verified the new certificate works, delete the following files from C:\Program Files\VMware\VMware View\Server\jre\bin
    1. certificate.cer
    2. rootCA.cer
    3. intermediateCA.cer
    4. certficate.csr

 

2 thoughts on “Replacing SSL Certificates on View Connection Servers 5.0

    1. Jack Post author

      Hi Javier, I don't believe a PKCS #7 file will work as it would not contain the private key to decrypt in the incoming traffic. You would need both the private and public key in order to meet VMware's requirements.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *