Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA. This tutorial works for both the View Connection Server or Security Server services. An official KB article by VMware on this subject can be found here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020913
In this particular guide, we cover generating an SSL certificate with an Internal CA. If we wanted to sign our server with a public CA, we could use a tool like openSSL to generate a certificate request, send the request to a public CA. Next, we would import a PFX12 file with the private and public key into the Local computer's Personal certificates and change set Friendly Name to vdm.
Opening the Certificates Management Console
- In the Connection Server, click Start, type mmc, and click OK.
- Click File > Add/Remove Snap-in.
- Select Certificates and click Add.
- Select Computer account and click Next.
- Select Local computer and click Finish > OK.
Requesting a new certificate
- Expand Certificates and click Personal.
- Under Object Type, right-click and select All Tasks > Request New Certificate.
- Read the information on certificate enrollment and click Next.
- Click Active Directory Enrollment Policy > Next.
- Select the template for certificate enrollment and click Details > Properties.
- Notes:
- Ensure you choose the Windows Server 2003 certificate template option. Do NOT choose Windows Server 2008.
For information on creating a certificate template, see the Microsoft Technet article Creating Certificate Templates. - If you notice that the service starts but you are unable to navigate to the SSL page, this is because the Windows Server template was set to Server 2008.
- Ensure you choose the Windows Server 2003 certificate template option. Do NOT choose Windows Server 2008.
- Notes:
- Click the General tab.
- Under Friendly name, type vdm.
- Click the Private Key tab.
- Click the arrow next to Key options and select the Make private key exportable option.
- Click OK > Enroll.
- Click Finish.
- Restart the Connection Server service.Notes:
- If you use any browser other than Internet Explorer to access the View Administration console, you must add an exception for the connection to be trusted.
- It may take a few minutes for the certificate to be recognized as valid in the View Administration console.
All credit for this guide goes to VMware for this information. This post is merely for archival purposes and self-reflections on the subject.