Tag Archives: connection

Replacing SSL Certificates on View Connection Servers 5.1

Leave a reply

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.  An official KB article by VMware on this subject can be found here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020913

In this particular guide, we cover generating an SSL certificate with an Internal CA.  If we wanted to sign our server with a public CA, we could use a tool like openSSL to generate a certificate request, send the request to a public CA.  Next, we would import a PFX12 file with the private and public key into the Local computer's Personal certificates and change set Friendly Name to vdm.

Opening the Certificates Management Console

  1. In the Connection Server, click Start, type mmc, and click OK.
  2. Click File > Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Select Computer account and click Next.
  5. Select Local computer and click Finish > OK.

Requesting a new certificate

  1. Expand Certificates and click Personal.
  2. Under Object Type, right-click and select All Tasks > Request New Certificate.
  3. Read the information on certificate enrollment and click Next.
  4. Click Active Directory Enrollment Policy > Next.
  5. Select the template for certificate enrollment and click Details > Properties.
    1. Notes:
      1. Ensure you choose the Windows Server 2003 certificate template option. Do NOT choose Windows Server 2008.
        For information on creating a certificate template, see the Microsoft Technet article Creating Certificate Templates.
      2. If you notice that the service starts but you are unable to navigate to the SSL page, this is because the Windows Server template was set to Server 2008.
  6. Click the General tab.
  7. Under Friendly name, type vdm.
  8. Click the Private Key tab.
  9. Click the arrow next to Key options and select the Make private key exportable option.
  10. Click OK > Enroll.
  11. Click Finish.
  12. Restart the Connection Server service.Notes:
    • If you use any browser other than Internet Explorer to access the View Administration console, you must add an exception for the connection to be trusted.
    • It may take a few minutes for the certificate to be recognized as valid in the View Administration console.

All credit for this guide goes to VMware for this information. This post is merely for archival purposes and self-reflections on the subject.

Replacing SSL Certificates on View Connection Servers 5.0

2 Replies

This process does NOT work for VMWare View 5.1 only 5.0

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.

  1. Navigate to the following directory via command prompt (if running server 2008, make sure you run command prompt as an administrator):
    1. C:\Program Files\VMware\VMware View\Server\jre\bin
  2. Execute the following command to generate a new Java Keystore:
    1. keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore keys.jks -storepass secret
      1. Note: This will ask for your first and last name, type in your FQDN here (I.e. viewserver.mydomain.com); also hit RETURN to use the same password as your keystore password when you are done.
  3. Execute the following command to generate a CSR:
    1. keytool -certreq -file certificate.csr -keystore keys.jks -storepass secret
  4. Sign the certificate.csr file that was just generated with your certificate authority (GoDaddy, Verisign, Internal CA, etc.)
  5. Copy the signed .cer or .crt file that you just received from your CA to the same keytool directory
  6. Copy any root or intermediate public certificates to the same keytool direcotry
  7. Execute the following commands for each of your root and intermediate certificates
    1. Root CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias rootCA -file rootCA.cer
    2. Intermediate CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias intermediateCA -file intermediateCA.cer
  8. Execute the following command to import your public certificate for your certificate.csr file:
    1. keytool -importcert -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.cer
  9. Next, we need to configure a View Connection Server Instance or Security Server to use the new certificate
    1. Move the keys.jks file that we just created (C:\Program Files\VMware\VMware View\Server\jre\bin\keys.jks) to the following directory:
      1. c:\Program Files\VMware\VMware View\Server\sslgateway\conf\keys.jks
    2. Next, we need to add the keyfile, keypass, and storetype properties to the locked.properties file
      1. If the locked.properties file does not already exist,go ahead and create a new file with notepad.
      2. Once the locked.properties file is open, ensure the following lines are in it:
        1. keyfile=keys.jks
        2. keypass=secret
        3. storetype=jks
  10. Restart the View Connection Server service or Security Server service for your changes to take effect.
  11. Once you have verified the new certificate works, delete the following files from C:\Program Files\VMware\VMware View\Server\jre\bin
    1. certificate.cer
    2. rootCA.cer
    3. intermediateCA.cer
    4. certficate.csr