Certificates for VMware Horizon View 6 with Certreq


Certificates for VMware Horizon View 6 with Certreq

A while ago I wrote a blog about certificate issues with VMware Horizon View, this had to do with the thumbprints being different. If you request a certificate on each Connection Server through the MMC each server will have a different thumbprint which might result in a issue with clients connecting. I was reading a knowledge base article of VMware about this and the friendlyname was missing. wanted to write a blog about that but it turned into this one (having a hard time stopping while writing 🙂   )
To make sure you don’t run into this issue you need to request the certificate through Certreq and export it to the other servers. I will show you how this is done.

Requirements

I assume you will use a internal certificate authority (named CA after this) for the certificates.
To implement the certificates you need the following;
– Internal CA (working and supplying certificates).
– Request.inf file
– Connection servers
So let’s start!

Request.inf

Before you can do anything you need to create the request.inf file and set it up for your environment.
the request.inf contents is displayed below, if you use this one make sure you copy it all, including the beginning and the end.
;—————– request.inf —————– 
[Version] 
Signature=”$Windows NT$ 
[NewRequest]
Subject = “CN=FQDN Connection server, OU=Orgainzational unit, O=organization, L=location, S=state, C=Country” 
; Replace View_Server_FQDN with the FQDN of the View server.
; Replace the remaining Subject attributes.  
KeySpec = 1 
KeyLength = 2048 
; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
; of 1024 is also supported, but it is not recommended. 
Exportable = TRUE 
MachineKeySet = TRUE 
FriendlyName = vdm
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = “Microsoft RSA SChannel Cryptographic Provider” 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 
[EnhancedKeyUsageExtension] 
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication 
[RequestAttributes]
SAN=”DNS=FQDN&DNS=FQDN”
;———————————————–
Okay, so now for some editing of the file. There are two areas that you need to edit, one being the first line and the second one being the last line. lets start with the first line.
Subject = “CN=FQDN Connection server, OU=Orgainzational unit, O=organization, L=location, S=state, C=Country” 
Like any certificate request you need to fill this one in.
CN is the FQDN of the connection server you are requesting this for, but when you connect to the POD with a friendly name like myworkplace.myorg.local you fill that one in there.
So let’s fill in CN=myworkplace.myorg.local
Next is the OU, the OU is not that important. It’s not being checked or something so for this is a server I fill in IT. So OU=Servers
Next is O from organization, mostly you see IT in this part but you could add the customer name here also, let’s do that. So O=myorg.
L stands for location so the city you’re in, don’t use abbreviations but type the whole name. so let’s assume we’re located in Amsterdam. L=Amsterdam.
S stands for state, a US name for a county or a Provence. Use abbreviations with an internal CA, some external ones don’t like that but for me this will work. Let’s see, Amsterdam is in North Holland (yes that’s a province in The Netherlands). S=NH.
Last one, C stands for Country, that’s an easy one…. where is Amsterdam located, no not Denmark it The Netherlands or Holland for most tourist. Well the Country code for us is NL. C=NL.
That’s the first line configured correctly.
Subject = “CN=myworkplace.myorg.local, OU=servers, O=myorg, L=Amsterdam, S=NH, C=NL” 

So next up is the last line.
Connecting with a friendly name is only done by user and when you configure it like we did above they will be happy and not get a warning for a unsafe website.

The Horizon View console however will connect on the servers FQDN and will show a red mark when you have no valid certificate assigned to this server with the FQDN in it.
So to fix that you need to add SAN names to the certificate, extra names that show the certificate is also signed for those names.

[RequestAttributes]
SAN=”DNS=FQDN&DNS=FQDN”

The line is pretty simple, you just add a FQDN you want and if you want more than one you just add a & and go on from there. You should add the FQDN of the server at least to be safe with the console. So the line looks like this;

[RequestAttributes]
SAN=”DNS=Conn01.myorg.local”

So after completing this you are ready to create the certificate request. Make sure the request.inf file is stored somewhere on the connection server e.g. c:certificates.

By the way if you have more than one connection server and who doesn’t you need to add them all. So SAN=”DNS=FQDN Conn01.myorg.local&DNS=Conn02.myorg.local” need to be added. If you apply the certificate also to the external facing connection server, add the external url also, so here that would be workplace. It just checks for the short name.

Create certificate request

Log on to your first connection server and open a command prompt with administrative rights and browse the the folder where you stored the request.inf.

Type the command: Certreq -new request.inf certreq.txt
This will create a certificate request file that we will issue to the internal CA.

Before you do that make sure you have a web server template based on windows 2003 ready on you internal CA. Sure I don’t have to write here how to make one.

In the folder you’ll see a file appear, certreq.txt, open it and copy the whole content.

Request a certificate

Next up is to request a certificate, you have the content of the file in memory and a web server template ready. Open a Internet Explorer window and browse to your internal CA on the following address: http://CA-FQDN/certsrv
Click on Request a certificate
Click on Advanced certificate request
Click on Submit a certificate request using a base-64-encoded……
Copy the contents of the certreq.txt file into the request box and choose the web server certificate template. Click on Submit.
Click on Base 64 encoded and choose to download certificate.
The certificate is downloaded and now needs to be imported in the certificate store.

Importing in Certificate store

Importing in the store is done with Certreq through the command prompt. So again open the command prompt as administrator and browse to the location where you stored the files.
Type the Command: Certreq -accept certnew.cer
The certificate will be imported in the certificate store.
Now you only need to restart the VMware View Connection server service and you’re good to go.
All will be green now.
This is fine with one connection server but what with more than one, what with four or five of them? You don’t want to do this process on each server and you want this certificate on each server to make sure the thumbprints are the same everywhere. So let’s show you how to do this.

Export certificate

Now that the certificate is imported in the certificate store we can export it and use it on the other connection servers. Exporting is done by opening the certificate MMC and right click on the certificate you want to export.
Right click and choose All Tasks / Export.
A wizard will start guiding you through this process, here it is (comments only where needed).

Very important to make sure you export the private key, the certificate is not worth anything without it.

I marked the extended properties for SAN names in my opinion are extended properties, never tried without this mark..

Use a easy password for its only to import it later on, it’s no use to anyone else.

Select a location for the exported PFX file that you will use to import it later on the other servers.

Importing a certificate

So importing a certificate works the same way but backwards.. open the MMC/Certificates and browse to personal/Certificates. Right click and choose All Tasks / Import.

A wizard will open and guide you through.

Selected the path to the exported certificate.

Typ the password and make sure you mark Exportable before going on.

Certificates need to be in the personal store.

Last thing is to restart the connection server service.

….and when you did all this, you will see all green in the view administrator console and when you check the certificates they will all have the same thumbprint ensuring you won’t have issues.

Yes I know there is one red mark but that a trusted domain that is giving issues not the one the users will be coming from. Not my problem.

Hope this helps you guys, it’s a bit more work but it ensures your view environment is nicely setup.


Leave a Reply

https://tracking.cirrusinsight.com/869c29e2-3a9b-48c5-9232-0b95e7993ae8/controlup-com-pixel-php