Pages

Monday, April 16, 2012

Requesting and installing a new SSL certificate for VMware View 5.0 Security Server with GoDaddy

Although VMware provides a KB article on how to request and install a new SSL certificate for VMware View 5.0’s Security Server, sometimes I wished it there was a GUI available to do it because I find that I always forget the steps after a few months.  After having to read the KB article again after a few deployments, I’ve decided to write this blog post so I have something to reference to in the future.  First off, the following is the link to VMware’s KB article:

Guidelines for generating and importing an SSL certificate for the View Connection Server
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008705

Begin by logging onto your Security Server’s Windows Server 2008 R2 operating system and open up the System Properties window, navigate to the Advanced tab and then click on Environment Variables:

image

Highlight the Path line item under System variables and click on the Edit button:

image

The path we need to add is as follows:

<install_directory>\VMware\VMware View\Server\jre\bin

Note that you should not mistaken this the path above for the path below:

C:\Program Files\VMware\VMware View\Server\bin <—WRONG

image

… for this:

C:\Program Files\VMware\VMware View\Server\jre\bin <—Right

image

Note the keytool.exe executable:

image

Append the path C:\Program Files\VMware\VMware View\Server\jre\bin to the Variable value: field:

image

Once that path has been entered, open up the command prompt as an administrator and change the directory to the directory of your choice and then execute the following:

keytool -genkey -keyalg "RSA" -keystore vssKeys.p12 -storetype pkcs12 -validity 360 -keysize 2048

Note that you vssKeys.p12 is a user specified file so it’s up to you as to what you want to name the key.   Proceed with filling out the fields and make sure you make a note of the password as you’ll be using it afterwards.  For the purpose of this example, I’m going to use the password P@ssw0rd.

image

Once you’ve completed answer all of the questions, you’ll notice that a file named vssKeys.p12 is created in the working directory:

image

image

Note that this file is not a clear text file so if you open it,  you’ll see the following content:

image

From here, switch back to the command prompt and type the following:

keytool -certreq -keyalg "RSA" -file viewbm.csr -keystore vssKeys.p12 -storetype pkcs12 -storepass P@ssw0rd

Note that the file viewbm.csr is a user specified filename so name as anything you prefer.

image

Once the command completes, you should now see a csr file in the working directory:

image

This csr file is the typical request file containing text that you submit to your CA:

image

Switch to your GoDaddy certificate services console and select Third Party, or Dedicated Server or Virtual Dedicated Server, without Simple Control Panel then paste the CSR request into the window:

image

Proceed with submitting the request:

image

image

Once you have approved GoDaddy to issue the certificate, navigate back to their console and download the certificate:

image

As per VMware’s KB:

Importing external Godaddy.com certificates
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1004836

… proceed with downloading the certificate for a Tomcat server:

image

image

Once you get the certificate downloaded, proceed with unzipping them:

image

Proceed with opening the .crt file with Crypto Shell Extensions:

image

Once the certificate opens, click on the Details tab:

image

In the Details tab, click on the Copy to File button:

image

The Certificate Export Wizard will now open:

image

Change the radio button from DER encoded binary X.509 (.CER):

image

… to Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and select Include all certificates in the certification path if possible checkbox:

image

Enter a name for the .p7b file:

image

Proceed with exporting the file:

image

image

image

With the .p7b file in the same directory as the vssKeys.p12, open the command prompt as an administrator ane execute the following:

keytool -import -keystore C:\vssKeys.p12 -storetype pkcs12 –storepass P@ssw0rd -keyalg "RSA" -trustcacerts -file view.p7b

image

Once the command successfully executes, proceed with copying the vssKeys.p12 file to the following directory:

image

C:\Program Files\VMware\VMware View\Server\sslgateway\conf\

image

image

Create a file named locked.properties:

image

Edit the file and put in the following as shown in the screenshot:

keyfile=vssKeys.p12
keypass=P@ssw0rd

image

Restart the VMware View Security Server service:

image

image

Once the service restarts, navigate to the Security Server’s webpage and verify that the certificate has been installed.

2 comments:

Anonymous said...

THANK YOU!!!!!!!!

Unknown said...

Hi Guys! Please help. I was almost finish and i got the error below.

C:\>keytool -import -keystore C:\cer\viewxxx\vssKeys.p12 -storetype pkc
s12 -storepass xxxdomain! -keyalg "RSA" -trustcacerts -file viewdeltafundcom.p7
b
keytool error: java.lang.RuntimeException: Usage error, ûstorepass is not a lega
l command