VMware Horizon 6 install – Part 3 SSL Certificates
The third part of my Horizon 6 install series brings us to SSL certificates. I know, I know no one likes certificates and they are usually a pain in the ass to set up. But you cannot ignore them in a Horizon installation and by allowing almost any client to connect from nearly any place the ability to ensure you’re connecting to the right server is critical.
This post will focus on how to install the SSL certificate on the first connection server. This process will be repeated for each additional connection server, security server(s) and the View composer server if you are installing one separately from vCenter. You could just use the default Web Server certificate that is built into Window Certificate Authorities (CA) but VMware does specify a few other requirements. I’ve seen them work fine, but I recommend that you follow what VMware requires exactly to ensure full supportability. I recommend reading Derek Seaman’s walkthrough on preparing a new certificate for use with VMware. For the purpose of this article I will be using a Windows CA. This is also predominately the most common method that I see at customers.
Other posts in this Horizon series.
VMware Horizon 6 install – Part 6 setting up RDS applications
Horizon 6 Install SSL Certificates
If we try to log into the Horizon View Manager you will get the warning about the website’s security certificate as shown below. This is because the View server is using as self generated certificate and it does not come from an authority that we trust.
Once logged in you will see a warning on the dashboard, if you click on the server that is showing the warning in my case the first connection server. A window will pop-up showing the explanation shown below, warning use of the self-signed certificate.
To correct this I have closed the Horizon View manager and will open up a Microsoft Management Console (MMC). Once open we need to add a snap-in. I will choose the Certificates snap-in, then choose the Computer account choice. This will allow us to manage certificates based on the computer account.
Once the MMC is open we now expand the Certificates option the find the Personal folder and open and select the Certificates folder as shown below. You can see from the right side of the window there is one certificate shown and it shows that it was issued by the server we are working on. That means it’s a self-signed certificate which is what the warning indicated earlier. Also highlighted in the image below is the Friendly name of the Cert, in the case for View it uses a name of vdm. This is important because Horizon will look for this friendly name to identify the cert that it will use to secure the server. .
You will now see the first step in the Certificate Enrollment process. This should not be anything new if you have done this for another server or application in the past. The fundamental process is the same, we are just using a Cert template created for VMware’s recommendations. .
On this step, you will pick the certificate template that we wish to use. Again you could probably get by with the Web Server one that is built into the Windows CA, but using the VMware-SSL one created earlier off the post linked is the one I’ll be using. For this I need to check the box and click on the blue warning, this will allow me to provide needed details. .
The additional details that must be provided are done via the Certificate Properties window that opens up. Here we must provide the Common name which is the same as the FQDN. Then we do short and long name versions for the DNS field. Examples are shown below for my test server in the red boxes. .
The last requirement for a View certificate is that it must be exportable. To accomplish this click on the Private Key tab and expand the Key options section. There is a box to check to make the key exportable, do this and we are ready to move forward. .
Now we are back at the MMC screen and we should now see two certificates for the server we are working on. One is a self-signed certificate and the other was issues by our Windows CA. You will also see that the self-signed one has the Friendly Name of “vdm” this is what View uses as an identifier. We must edit the old cert and remove the friendly name and then edit our new cert and add the friendly name in. .
The image below now shows that the certificate issues by the Windows CA is the one with the vdm Friendly Name. All that is need now is to restart the VMware View services or the server. This will force View to use the new certificate and then we are ready to test. .
To test out the new certificate I will attempt to connect to View manager view the servers short name as shown in the image below. I no longer get the certificate warning and IE is showing the paddle lock which means we are using a secure connection. .
Once in View manager you should now see that there is no longer the Red warning box next to our server. If you click on the server that the Cert was replaced on we see that it now has a Valid Certificate as shown in the image below. .
This completes the process of applying an SSL certificate to a View connection server. You will follow the same process for other connection servers, security server and the composer server. You will do each of the servers within You Horizon install one at a time until they are all secured.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design