VMware Horizon 6 install – Part 3 SSL Certificates

Posted by on July 1, 2014 in Horizon Suite, View | 23 comments

The third part of my Horizon 6 install series brings us to SSL certificates. I know, I know no one likes certificates and they are usually a pain in the ass to set up. But you cannot ignore them in a Horizon installation and by allowing almost any client to connect from nearly any place the ability to ensure you’re connecting to the right server is critical.

This post will focus on how to install the SSL certificate on the first connection server. This process will be repeated for each additional connection server, security server(s) and the View composer server if you are installing one separately from vCenter. You could just use the default Web Server certificate that is built into Window Certificate Authorities (CA) but VMware does specify a few other requirements. I’ve seen them work fine, but I recommend that you follow what VMware requires exactly to ensure full supportability. I recommend reading Derek Seaman’s walkthrough on preparing a new certificate for use with VMware. For the purpose of this article I will be using a Windows CA. This is also predominately the most common method that I see at customers.

Other posts in this Horizon series.

VMware Horizon 6 install – Part 1 connection servers

VMware Horizon 6 install – Part 2 security servers

VMware Horizon 6 install – Part 4 configuring RDS pool

VMware Horizon 6 install – Part 5 setting up RDS desktops

VMware Horizon 6 install – Part 6 setting up RDS applications

 

Horizon 6 Install SSL Certificates

If we try to log into the Horizon View Manager you will get the warning about the website’s security certificate as shown below. This is because the View server is using as self generated certificate and it does not come from an authority that we trust. horizon-ssl-1

.

Once logged in you will see a warning on the dashboard, if you click on the server that is showing the warning in my case the first connection server. A window will pop-up showing the explanation shown below, warning use of the self-signed certificate. horizon-ssl-2

.

To correct this I have closed the Horizon View manager and will open up a Microsoft Management Console (MMC). Once open we need to add a snap-in. I will choose the Certificates snap-in, then choose the Computer account choice. This will allow us to manage certificates based on the computer account. horizon-ssl-3

.

Once the MMC is open we now expand the Certificates option the find the Personal folder and open and select the Certificates folder as shown below. You can see from the right side of the window there is one certificate shown and it shows that it was issued by the server we are working on. That means it’s a self-signed certificate which is what the warning indicated earlier. Also highlighted in the image below is the Friendly name of the Cert, in the case for View it uses a name of vdm. This is important because Horizon will look for this friendly name to identify the cert that it will use to secure the server. horizon-ssl-4.

Now we need to request a new certificate, this can be done by right clicking on the Certificates Folder as shown below. horizon-ssl-5.

You will now see the first step in the Certificate Enrollment process. This should not be anything new if you have done this for another server or application in the past. The fundamental process is the same, we are just using a Cert template created for VMware’s recommendations. horizon-ssl-6.

The next step shows that we will be using the AD enrollment policy that is available. Nothing special to do here just proceed to next step. horizon-ssl-7.

On this step, you will pick the certificate template that we wish to use. Again you could probably get by with the Web Server one that is built into the Windows CA, but using the VMware-SSL one created earlier off the post linked is the one I’ll be using. For this I need to check the box and click on the blue warning, this will allow me to provide needed details. horizon-ssl-8.

The additional details that must be provided are done via the Certificate Properties window that opens up. Here we must provide the Common name which is the same as the FQDN. Then we do short and long name versions for the DNS field. Examples are shown below for my test server in the red boxes. horizon-ssl-9.

The last requirement for a View certificate is that it must be exportable. To accomplish this click on the Private Key tab and expand the Key options section. There is a box to check to make the key exportable, do this and we are ready to move forward. horizon-ssl-10.

You should now be back at the previous enrollment screen and we see the additional details warning is gone and we are ready to click the Enroll button. horizon-ssl-11.

Last up we see the final confirmation screen showing the process was successful. horizon-ssl-12.

Now we are back at the MMC screen and we should now see two certificates for the server we are working on. One is a self-signed certificate and the other was issues by our Windows CA. You will also see that the self-signed one has the Friendly Name of “vdm” this is what View uses as an identifier. We must edit the old cert and remove the friendly name and then edit our new cert and add the friendly name in. horizon-ssl-13.

The image below now shows that the certificate issues by the Windows CA is the one with the vdm Friendly Name. All that is need now is to restart the VMware View services or the server. This will force View to use the new certificate and then we are ready to test. horizon-ssl-14.

To test out the new certificate I will attempt to connect to View manager view the servers short name as shown in the image below. I no longer get the certificate warning and IE is showing the paddle lock which means we are using a secure connection. horizon-ssl-15.

Once in View manager you should now see that there is no longer the Red warning box next to our server. If you click on the server that the Cert was replaced on we see that it now has a Valid Certificate as shown in the image below. horizon-ssl-16 .

This completes the process of applying an SSL certificate to a View connection server. You will follow the same process for other connection servers, security server and the composer server. You will do each of the servers within You Horizon install one at a time until they are all secured.

About Brian Suhr

Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design

23 Comments

  1. First of all Brian, your posts are great and very helpful.
    I can find 4 out of 6 parts on horizon in your website. Is part 4 and part 6 are in development state because i am unable to find them.

    • Hello,

      Yes, got a little busy with some projects at work. The last two parts and some future ones are in progress. Have the labs done and screenshots, just need to finish writing the test.

      Hope to have done in about a week.

      Thanks for reading

  2. Thank you, your posts are great and very helpful!
    I might add that after create the CA the user should restart Horizon VMware View Connection service so the server will recognize it.

  3. Great articles. What is the process to configure the certificates on the Security Servers in the DMZ? Do you export the certificate?

    • If you use an internal cert authority you can export from another server. I know there is a need for a good walk-thru on how to use external certs from Godaddy or another site.

      • Hey,

        Any chance there is a walk thru for Go Dayy?

        • *GoDaddy

          • No, but you should be able to find posts out there on applying a GoDaddy cert to a Windows server, same process.

  4. Hi,
    Thank you for your post!
    I followed it probably VMware view server sees the CA.
    But somehow when I use the browser or the VMware Horizon Client Version 6.0.1.
    still get the error on the CA
    http://i60.tinypic.com/9rhlvp.png
    http://i61.tinypic.com/9fqln4.png

    • The first picture shows you probably used the desktop shortcut to open view admin. That uses the localhost as the name to open the management page. Your cert is tied to the server name, if you replace “localhost” with your server name it will be fine.

  5. Pain in the ass indeed and maddening! I have followed this procedure exactly and when I attempt to connect to the admin server, I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. Anyone have any insight?

    • Never mind. I found the resolution. Buried in a VMWare KB article for View, is a caveat that Win2K3 certificates must be used. Win2K8 will not work.

  6. Hello, Brian! Thanx for your article.
    Should I remove the self-signed certificate if it is already installed previously?

    • Ahhh! I should read man carefully, simply rename friendly name existing self signed cert and voila!
      https://pubs.vmware.com/horizon-view-60/index.jsp#com.vmware.horizon-view.installation.doc/GUID-5ED2A8AB-0D5F-495F-B2F7-D7C64C7A021E.html

    • Brain..thank you for this post my issues is that when I go to pick the templates – I do not get any available choices. The windows is blank and if I hit show all check box everything comes up as unavailable. I an running 1 connection server on 2012 R2 and have a 2012 DC runninng at 2003 domain level.

      Thank you in adavnce

      • My guess is it’s probably a permissions issue.

        • Hi Brian, the only types of certificates available to me is the Computer one. When I check Show all templates, all the other ones are listed as unavailable. The VMware-SSL is not listed either. I’m domain and enterprise admin so I doubt this is a permission issue. Can you help?

          • Nevermind, found the issue. My cert templates on my CA were not authorizing Computer account to enroll. All fixed and working now, thanks and great article!

  7. Brian,

    Fine article, it helped me on the way but it seems there is a bit missing.
    After creating the template and assiging a certificate, I still get the red box with a new error:
    Server’s certificate does not match the URL.
    It seems that the SAN should also have the external url included, else it won’t work.
    When using certificates for internal use only I think it should work just fine !

    • Hello,

      You are correct, but the external name/certificate would typically only go on the security server(s). The internal connection servers only need the internal name and certs.

  8. Can’t thank you enough Brian! I inherited an environment where we had this exact same issue. Called VMWare and one of our vendors for help with this and no dice. I came across your site yesterday and was able to resolve out certificate issue, thanks for the great write up!

  9. Thank you very much! That works perfect!

  10. This worked. Thanks a lot.

Trackbacks/Pingbacks

  1. VMware Horizon 6 install - Part 5 setting up RDS desktops | VirtualizeTips - […] VMware Horizon 6 install – Part 3 SSL certificates […]
  2. VMware Horizon 6 install - Part 2 security server | VirtualizeTips - […] VMware Horizon 6 install – Part 3 SSL certificates […]
  3. VMware Horizon 6 install - Part 1 connection server | VirtualizeTips - […] VMware Horizon 6 install – Part 3 SSL certificates […]
  4. Newsletter: December 29, 1014 | Notes from MWhite - […] I need to do it in my lab too.  So nice to find something this clear and easy.  Here is some additional …
  5. SSL Certs for View Access to TCC Labs » vHersey - VCDX Two to the Seventh Power (#128) - […] VMware Horizon 6 Install – Part 3 SSL Certificates at VirtualizeTips […]

Leave a Reply

%d bloggers like this: