While replacing the default SSL Certificates in the vSphere suite could seems challenging, the process in the View suite is much easier.
This article will cover the replacement of the default SSL certificates for both VMware View Connection Server and VMware View Composer.
OpenSSL and a Windows 2008 R2 CA are used to generate our CA Signed SSL certificates.
As a reminder, View Composer can be installed on the vCenter server or on another server (in case of heavy load).
My domain katalykt.lan is designed as follow:
- dc0001.katalykt.lan: This is the domain controller and our Certification Authority.
- vc0001.katalykt.lan: This is the vCenter and our View Composer server.
- cs0001.katalykt.lan: This is our View Connection Server.
Let's start by creating our working directory, under
C:\OpenSSL-Win32\Certificates
Let's create the following folders:
- Composer
- ConnectionServer
Creating the OpenSSL Template files
In this part, we'll create a configuration file for those folders in their respective folder:
Composer.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = DNS:vc0001, DNS:vc0001.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = ViewComposer commonName = vc0001.katalykt.lan
ConnectionServer.cfg
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = DNS:cs0001, DNS:cs0001.katalykt.lan [ req_distinguished_name ] countryName = FR stateOrProvinceName = Normandie localityName = Caen 0.organizationName = Katalykt organizationalUnitName = ConnectionServer commonName = cs0001.katalykt.lan
Creating the SSL Certificates CA Template
A specific CA SSL Certificate Template is required for VMware View. See my article about Preparing a Microsoft CA SSL Certificate Template for VMware View 5.2 here to create one.
I've granted my service account srv-vcenter the right to Enroll my VMwareViewSSL Template here (this is done by modifying the template)
Generating the SSL Certificates
So now that we've got everything that we need we can just go ahead and create a script which will do the manual labor for us!
This script will do as follow for each component:
- Create a private key rui.key in RSA 2048
- Create a Certificate Signing Request from the current OpenSSL Template
- Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
- Create the Personal Information Exchange file which will bundle our Certificate along with its private key
REM Change this according to your needs Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe Set SSLPATH=c:\OpenSSL-Win32\Certificates Set MSCA=DC0001\katalykt-DC0001-CA Set MSCATEMPLATE=VMwareViewSSL REM Core processing echo PROCESSING: View Composer SSL Certificate cd /d %SSLPATH%\Composer %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config Composer.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt %OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx echo PROCESSING: View Connection Server SSL Certificate cd /d %SSLPATH%\ConnectionServer %OPENSSL% genrsa 2048 > rui.key %OPENSSL% req -out rui.csr -key rui.key -new -config ConnectionServer.cfg certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt %OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx
Replacing the View Composer Certificate
If you already have a View Connection Server up and linked to an existing View Composer then make sure to stop it's services before replacing View Composer SSL certificate.
As you may already know, View Composer is installed either on the vCenter or on a side server. In this case it's hosted on my vCenter.
The first step is to stop the VMware View Composer service before proceeding any further.
The goal of this operation is to import our previously generated Personal Information Exchange rui.pfx into the View Composer server Personal store so that it may use both the SSL Certificate along with its private key.
So we hit the mmc.exe component where the View Composer is installed and load the Certificates Snap-in.
We pick the Computer account here.
I'm picking Local computer here since the mmc snap-in is running on the View Composer server.
Once the operation done, we browse to Personal >> Certificates. If you already have View Composer installed then you should be able to see the default Self Signed SSL Certificate in there.
The next step is to import our rui.pfx into the Certificates folder.
Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.
The first thing is to select the View Composer's rui.pfx file.
We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...
Finally we place it in the Personal store.
Once done, we should be able to see our SSL certificate in the Personal store!
If you open up your SSL certificate you should see that a private key is associated with it thanks to the message "You have a private key that corresponds to this certificate".
If the SSL certificate doesn't have an associated private key then the replacement will not work (remember that the SSL Certificate template need to allow the private key export!)
Now that we got our SSL Certificate in our Personal store we can go ahead and replace the existing one.
This step is done by using the SviConfig.exe tool present on the View Composer server.
"c:\Program Files (x86)\VMware\VMware View Composer\SviConfig.exe" -operation=replacecertificate -delete=false
Note that we put the delete switch on false to keep the existing SSL Certificate in the store (we can always delete it later on)
Once the utility launch, simple select the new SSL certificate and everything else will be done automatically!
You may delete (or export as a backup) the old Certificate now.
And that's it! Our View Composer certificate has been changed! Make sure to restart the service!
Replacing the View Connection Server Certificate
View Connection Server SSL Certificate replacement is quite similar to the View Composer's one.
Our last rui.pfx has to be loaded onto the Connection Server personal certificate store. The only difference is that its "friendly name" need to be called vdm (It will only look for SSL Certificates with that friendly name)
Replacing the SSL Certificate of the View Connection Server is a good practice for many reasons. For instance your clients will view the Connection Server as a valid CA Signed entity when they connect through the View Horizon Client (No more red warning about Self Signed yay!)
Let's start our operation by stopping all View components services.
Via the mmc.exe component on the View Connection Server we add the Certificates Snap-in and load the Computer Account (This is the same process as the Composer's one above) on the Local computer.
Once more, we have the default SSL Certificate in there!
The next step is to import our rui.pfx into the Certificates folder.
Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.
The first thing is to select the View Connection Server rui.pfx file.
We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...
Finally we place it in the Personal store.
Right now we have both the old and the new SSL Certificate. Make sure that the new SSL Certificate has the "vdm" Friendly Name set otherwise it will not be loaded.
I've removed the old SSL Certificate (you can export it too).
Finally we can restart the View Connection Server services.
After a few minutes, we head to the Web Admin site to ensure that the new SSL Certificate is loaded
https://cs0001.katalykt.lan/admin
If everything's fine our dashboard should show that our Connection Server is healthy!
Integrating View Composer in View Connection Server
In this part, I'll be linking my View Composer to my View Connection Server. If you already did it then you may skip this part.
Let's head in View Configuration >> Servers and add a vCenter server.
In my case the Composer is linked to the vCenter.
My vCenter is added as shown below.
The dashboard shows our View Composer's SSL Certificate as valid! (It may appear red at first but give it a few minutes)
Both our View Connection server and View Composer are now using valid CA SSL Certificates!