In this post i will describe how to implement signed certificates to Horizon view servers using opensll.
Most of Vmware products use the installer signed certificates (which is good for testing) but they usually recommend to replace them with CA signed to make the infrastructure more secure.
I found the available documentation little thin, so i thought i will describe it.
So what you will need, opensll. Openssl is a command line tool that creates / signs / converts / does anything that relates to certificates and is open.
Access to a CA server to sign the certificate, in this case i am using Microsoft CA server but any other will can be used (although with a little change in the process).
The first step is to create an openssl config file. I prefer using config files because they help avoid the interactive wizard and by that avoid mistakes.
This is an example of a config file:
[ req ]
default_bits = 2048
default_keyfile = vdi01.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: vdi01, IP:10.0.0.11, DNS:vdi01.ronen.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NC
localityName = Durham
0.organizationName = RonenINC
organizationalUnitName = Engineering
commonName = vdi01.Ronen.com
Change the Italic parts of the file to your use case. Save the file as the name of the server – vdi01.cfg .
Important: The “commonName” field should be the fqdn of the server (if the server will be behind a load balancer , it should be the fqdn of the load balancer.
The “subjectAltName” should be the the short name of the server, its IP address , or any other url that you might use to connect to it. SAN are very usefull when you connect to a server with different names / URL’s.
Next step is to create the certificate signing request and the key file. It is done with one command using the launching Command with Administrator privileges:
openssl req -new -nodes -out vdi01.csr -keyout vdi01.key -config vdi01.cfg
This command will read the config file we created, take the info in it and create 2 files: the private key, and a certificate signing request file.
In this step we will use the Microsoft CA server to sign the csr request. You can use any other CA server (this is what i have) But the process will be a little different.
Use IE to launch the url of the ca server : https://caserver.ronen.com/certsrv
Click “Request a Certificate”
Click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file”
Open the csr file we created and copy all its content (including header).
Paste the csr content into the CA server and select the certificate template you need (this depends on your environment).
And click “Submit”
If everything is ok, you will be prompted to accept and choose the encoding of the certificate , choose “Base 64 encoded” and “Download certificate”.
Save the certificate to the same location as your key file is.
Change the certificate file type from cer to crt (It has no affect on it) , also rename it to the name of the server (to make it clearer) : “vdi01.crt”.
Since Horizon view uses the pfx files and not just the certificate we will have to create it and import into it both the certificate and the key file:
openssl pkcs12 -export -in vdi01.crt -inkey vdi01.key -name vdm -passout pass:testpassword -out vdi01.pfx
Important: Dont change the name or the password, This is the way the server expects it to be.
Last step is to install the new certificate on the Horizon connection servers, copy the pfx file to it.
Launch the mmc from the Horizon view server, add the “certificate” snap-in and select “computer accoubnt”.
Right click the “personnel” folder and “Import”.
Select the pfx file we created, check mark “Mark the key as exportable” and “include all extended properties”.
Rename the old “vdm” certificate to another name (“vdm-old”) – the horizon view server looks for “vdm”.
Make sure the new certificate we imported is named “vdm”.
Restart the Horizon view services and make sure you can connect to the admin page and also with the client without getting certificate error on the browser or client (the services may take couple of minutes to start).
Couple of things to pay attention to:
You will have to go to the view configuration – connection server edit page, and edit the ip’s and url to match the certificate and what the users will use. generally, for internal users the default will work fine. I also found out that i can load balance the blast and https secure tunnel , although not supported by vmware and can cause all kind of issues.
PCoIP cant be load balanced.
Verify in the admin page dashboard that you dont have error message on the connection server. Usually if the certificate url does not match what is configured as url for the connection server there will be an error.
When using external security servers in the dmz (where else would you put them) make sure to create certificate with the public URL’s and IP’s. And also to configure it in the security server configuration. Again to avoid the certificate errors.
Thats it, this is how to install signed certificates to Horizon view servers.