Thursday, April 18, 2013

Issuing certificates for VMware Horizon View 5.2 servers with Microsoft Enterprise Certificate Authority

I’ve recently been asked quite a few times in over the last few months on how to properly request and issue certificates for VMware View servers ever since the later versions of 5.x began throwing warnings when servers are using their default self-signed certificates and not a certificate that is issued by a trusted certificate authority such as an internal Microsoft Enterprise CA or a public CA such as GoDaddy, Verisign, etc.  I’ve always suggested using a public CA simply because mobile devices don’t natively trust certificates issued by an internal CA and because it’s not a domain joined device, there is really no automated way to place the internal CA’s certificate into the trusted store.  With that being said, if you don’t have any mobile or non-domain joined devices in your environment, you can use an internal Microsoft Enterprise CA for your View connection server certificates.  The following demonstrates the process:

Upon successfully deploying your View Connection servers (both internal and external), you will noticed that the dashboard lists all of them with an error:

image

… and clicking on the server object will display the error:

Name: <serverName>

Version: 5.1.2

Status: Server’s certificate does not match the URL.

SSL Certificate: Invalid

Connections: 0

image

Before I begin demonstrating using a Microsoft Enterprise Root CA to issue the certificates, note that the official VMware View documentation for obtaining SSL certificates can be found in the following URL:

Obtaining SSL Certificates for VMware Horizon View Servers
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.certificates.doc%2FGUID-358E1A54-DDD7-4A76-B9CB-198E0F7F76D4.html

image

… another old KB article that is more specific to using a Microsoft CA to obtain a certificate can be found here:

Managing SSL Certificates in VMware View 5.1 using an internal Microsoft Certificate Authority (2020913)
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020913

With the location of the official documentation out of the way, the certificate I intend on issuing will contain the common name:

  • vdi.domain.com

… and the following SAN entries:

  • vdi.domain.internal
  • vdi
  • svrvmvc01.domain.internal
  • svrvmvc01
  • svrvmvc02.domain.internal
  • svrvmvc02
  • svrvmvce01.domain.internal
  • svrvmvce01
  • svrvmvce02.domain.internal
  • svrvmvce02

By requesting a certificate with all of these names, I can simply use one certificate for all of my servers (2 internal and 2 external View connection servers).  I get asked a lot about why I like putting the NetBIOS name in certificates any reason is that I’m quite lazy when it comes to typing in the URL for servers as I tend not to use the FQDN in most cases unless my laptop is not a part of the domain or if the DHCP servers do not issue the suffix for a domain. While I can’t speak for others, my guess is that there are probably others like me out there and since we don’t pay extra for having additional SAN entries when issuing certificates from an internal private CA, why not put them in?  What’s also important to note is that Certificate Authorities (CAs) have accepted worldwide guideline changes and will no longer issue SAN SSL Certificates that are not in a legitimate FQDN format as of November 2015.  I found out about this a few weeks back when trying to issuing a 3 year GoDaddy certificate with NetBIOS names so keep that in mind when planning your certificate.

Begin by logging onto one of your View Connection server, open the MMC console and add the Local Computer store’s Certificate snap-in:

image

Right click on the Certificates node under Certificates (Local Computer) –> Personal –> Certificates and select All Tasks –> Request New Certificate:

image

Click on Next:

image

Select Active Directory Enrollment Policy and click Next:

image

Note how I have a Web Server Exportable certificate template in the list which is a duplicate of the Web Server template but with the Private Key is Exportable enabled.  The reason why this is important is because we will need to export this certificate to other servers so proceed with select the certificate and click on the More information is required to enroll for this certificate. Click here to configure settings. link:

image

The following Certificate Properties window is where we enter the information required for the certificate:

image

You don’t necessarily have to fill in all of the attributes but the following are the fields that I usually fill in:

E = tluk@domain.com

CN = vdi.domain.com

OU = IT

O = Company

L = Hamilton

S = Hamilton

C = BM

Adding SAN entries is simply selecting the DNS as the Type under the Alternative name section:

image

With the Subject tab for the Certificate Properties filled out, proceed with clicking on the General tab and type in vdm as the Friendly name.  Note that this field MUST contain vdm or your View connection servers will not use this certificate. 

clip_image001

Clicking OK in the window above will complete issuing of the certificate to the server:

image

With the certificate now in the local computer store, test the certificate by restarting the VMware View Connection Server service:

clip_image001[4]

clip_image001[6]

clip_image001[8]

Log back into the administration console:

image

Note how the server with the certificate is now labeled with a green square indicating the error is gone:

image

Note that if you continue to see a red square complaining about the certificate, check the certificate properties and ensure the friendly name has the string vdm:

image

Now that we’ve confirmed the certificate works, proceed with exporting the certificate with the private key:

image

clip_image001[10]

Make sure you export the private key:

clip_image001[12]

Export as a PFX file:

clip_image001[14]

clip_image001[16]

clip_image001[18]

clip_image001[20]

clip_image001[22]

Then copy the PFX file to the other VMware View Connection servers and import it:

image

clip_image001[24]

clip_image001[26]

clip_image001[28]

clip_image001[30]

clip_image001[32]

clip_image001[34]

clip_image001[36]

image

Restart the services on the server:

clip_image001[38]

clip_image001[40]

Note that it may also be necessary to restart the other servers as well to update the error:

clip_image001[42]

Hope this helps anyone looking for information on using a Microsoft Enterprise CA to issue certificates for VMware View connection servers.

7 comments:

fahadnaif said...

thanks a lot

virtualcloudz said...

Hi Terence, YOur posts are simply superb. Looks simple but conveys what reader need to know with screenshots.

"I’ve always suggested using a public CA simply because mobile devices don’t natively trust certificates issued by an internal CA and because it’s not a domain joined device, there is really no automated way to place the internal CA’s certificate into the trusted store."

If we use Internal CA certs for view environment and external users try to use View desktop from mobile devices which are not joined to domain, how do they behave. Is it works? DO you see any issues with this approach?

Terence Luk said...

Using an internal CA to generate certificates for external clients that aren't joined to the domain will work if you uncheck the "Do not verify server identity certificates" in the VMware View client "Configure SSL..." options. This is not recommended for obvious reasons so I would recommend using public CA certificates.

virtualcloudz said...

Thank you Terence.

I have already installed internal CA certs for Vcenter and it's respective components and I'll request external CA wild card cert for View environment.

Anonymous said...

Your Post is great, just what i was looking for. The only problem i encounter is the fact i don't have a Web Server Exportable template when the sellection has to be made. Is there a description "how to make Web Server Exportable Template"?

Keep up the good work!!

Qadit Qadit said...

Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.

Data Security Information in Bangalore

Chris Koch said...

This is a great post, but doesn't this SAN cert publicly expose your internal server and domain names? I've been trying to find a way to avoid this security risk. Any thoughts?