Request and install external certificate into VMware view

Here are the steps I used back in View 5.0 to request and install an external certificate into a VMware View Security server or connection broker.  Remember in order for the View client or web browser to be happy with the certificate we install three things need to match.  One the name you went to needs to be the same name on the certificate so if we went to vdi.mydomain.com the certificate needs to have this name; two, the expiration date needs to be valid and the most important three is the certificate needs to be trusted by the client device.  This guide will use a purchased certificate but for internal reasons you may want to use your own certificate authority.  The only problem with this is you will need to make all internal clients trust the certificate in order to suppress the error message.  For this reason I recommend if possible using the external name for the internal servers as well.  In order to do this you most likely will need to spoof the external name internally.  So for example if you point vdi.mydomain.com to 4.4.4.4 on the outside world you would also want to point vdi.mydomain.com on internal DNS servers to the internal IP such as 192.168.1.5 or something.  This may not work in all cases.

Here is the procedure i used:

Add keytool to System path all connection brokers

Path:

C:\Program Files\VMware\VMware View\Server\jre\bin

Created a working directory:

C:\>mkdir view-certificate

C:\>cd view-certificate

CREATE KEY STORE

C:\view-certificate>keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048

Enter keystore password:

Re-enter new password:

What is your first and last name?

[Unknown]:  vdi.domainof-your-choice.com

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:  Your-org

What is the name of your City or Locality?

[Unknown]:  City

What is the name of your State or Province?

[Unknown]:  OH

What is the two-letter country code for this unit?

[Unknown]:  US

Is CN=vdi. domainof-your-choice.com, OU=Unknown, O= Your-org, L=City,

ST=OH, C=US correct?

[no]:  yes

CREATE KEY REQUEST

C:\view-certificate>keytool -certreq -keyalg “RSA” -file vdi-cert.csr -keystore

keys.p12 -storetype pkcs12 -storepass password

Now take your request and request a certificate from Verisign Go daddy etc:

Download the cert from wherever you requested it and open in internet explorer:

Do a certificate export as PKCS#7

NOW IMPORT THE CERT INTO THE .P12

C:\view-certificate>keytool -import -keystore keys.p12 -storetype pkcs12 -storepass password -keyalg “RSA” -trustcacerts -file vdi. vdi.mydomain.com.p7b

Certificate reply was installed in keystore

Copy the keys.p12 to:

C:\Program Files\VMware\VMware View\Server\sslgateway\conf

Create

locked.properties  file

Add these two lines:

keyfile=keys.p12

keypass=password

Restart the connection server service

Copy Keystore directory to any other connection servers you will access by the same name and restart the services.

Here are the referances I used:

Followed this guide page 75:

http://pubs.vmware.com/view-50/topic/com.vmware.ICbase/PDF/view-50-installation.pdf

and the following link (more helpful):

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008705

 

Leave a Reply

  

  

  

WordPress Appliance - Powered by TurnKey Linux