Knowledge Base

Note: This process only applies to VMware View versions 5.0 and earlier. For information on Configuring SSL Certificates in View 5.1, see the View Installation Guide and Using Microsoft Certreq to generate and import a signed certificate into View 5.1 (2032400).

To generate and import an SSL certificate on the View Connection Server:

• Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
• Information appearing within <brackets> represents variable information. Do not include the brackets when typing commands.
• View Manager 5.x supports pkcs and jks store types. Ensure to use the appropriate command based on the keystore type.

1. Add keytool to the system path:
   
   
   1. In your View Connection Server or Security Server host, right-click My Computer and click Properties.
   2. Click the Advanced tab.
   3. Click Environment Variables.
   4. In the System variables group, select Path and click Edit.
   5. Type the path to the JRE directory in the Variable Value text box. For example, <install_directory>\VMware\VMware View\Server\jre\bin.
      
      Note: Use a semicolon (;) to separate each entry from the other entries in the text box.
      
      
2. Generate a Keystore and Certificate:
   
   
   1. Open a command prompt and run this command using keytool to generate a Keystore file using one of the following:
      • pkcs key:
        
        keytool -genkey -keyalg "RSA" -keystore <keys.p12> -storetype pkcs12 -validity 360
        
        
      • 2048-bit pkcs key:
        
        keytool -genkey -keyalg "RSA" -keystore <keys.p12> -storetype pkcs12 -validity 360 -keysize 2048
        
        
      • jks key:
        
        keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore <keys.jks> -storepass <secret>
        
        
   2. When keytool prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
   3. For JKS keystores, you will be prompted for a password. Use the same password used in the keytool command.
   4. Enter all other information to complete the keystore file. After keytool creates the Keystore file in the current directory, create a backup of the file.
      
      
3. Obtain a Signed Certificate from a CA:
   
   
   1. Open a command prompt and run this command using keytool to create a CSR:
      
      
      • pkcs key:
        
        keytool -certreq -keyalg "RSA" -file <certificate.csr> -keystore <keys.p12> -storetype pkcs12 -storepass <secret>
        
        
      • jks key:
        
        keytool -certreq -file <certificate.csr> -keystore <keys.jks> -storepass <secret>
        
        Notes:
        • keytool creates the CSR file in the current directory.
        • The keystore password must be at least 6 characters and cannot be left blank.
          
          
   2. Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS# format.
      
      Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format.  Some vendors may use type rather than file type. In this case request a Tomcat certificate.
      
      To convert a PKCS#12 certificate to PKCS#7 format:
      
      
      1. Open the certificate file in Internet Explorer.
         

         Note: Verify that the certificate chain is complete, including root and intermediate certificates.
         

      2. In the Details tab, click Copy to File. The Certificate Export wizard appears.
      3. Specify PKCS#7 format, include all certificates in the certification path, and then click Next.
      4. Specify a filename and click Next.
      5. Click Finish to export the file in PKCS#7 format.The file is saved with a .P7B extension.
         If you completed this conversion use <certificate.p7b> instead of <certificate.p7> in the following steps with the keytool commands.
         
         
4. Import the Signed Certificate into a Keystore file.
   
   To import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:
   
   
   • pkcs key:
     
     keytool -import -keystore <keys.p12> -storetype pkcs12 -storepass <secret> -keyalg "RSA" -trustcacerts -file <certificate.p7>
     
     
   • jks key:
     
     keytool -importcert -keystore <keys.jks> -storepass <secret> -keyalg "RSA" -trustcacerts –file <certificate.p7>
     
     Note: The storepass must be the same password that was used to generate the CSR in step 3.
     
     
5. Configure the View Connection Server or Security Server to use the new certificate:
   
   
   1. Copy the Keystore file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or Security Server host. For example, install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12.
   2. Add the keyfile and keypass properties to the locked.properties file in the SSL gateway configuration directory on the View Connection Server or Security Server host.
      
      Note: If the locked.properties file does not exist, you must create it.
      
      
   3. Set the keyfile property to the name of your Keystore file, using the appropriate file type.
   4. Set the keypass property to the password for your Keystore file. For example:
      
      
      • pkcs key: keyfile=keys.p12
               keypass=secret
        
        
      • jks key:  storetype=jks
               keyfile=keys.jks
               keypass=secret 
        
        
6. Restart the View Connection Server or Security Server for the changes take effect.
7. Ensure that the certificate is being used by checking the debug log on the server.
   
   For log files locations, see Location of VMware View log files (1027744). You see lines similar to:
   
   03:30:17,069 INFO <Thread-1> [q] The Secure Gateway Server is using SSL certificate store keys.p12 with password of 9 characters
   03:30:17,819 INFO <Thread-1> [q] The Secure Gateway Server is listening on https://*:443   

1. Copy the Keyfile and certificate.p7 files to the root of C: on the additional server. 
2. Set the environmental path for the keytool to C:\Program Files\VMware\VMware View\Server\jre\bin.
3. Import the certificate with:
   
   
   • pkcs key:
     
     keytool   -import  -keystore <keys.p12>  -storetype pkcs12  -storepass <secret>  -keyalg "RSA"  -trustcacerts  -file <certificate.p7>
     
     
   • jks key:
     
     keytool -import -keystore <keys.jks> -storepass <secret> -keyalg "RSA" -trustcacerts -file <certificate.p7> 
     
     
4.  Copy the keyfile file to C:\Program Files\VMware\VMware View\Server\sslgateway\conf.
5. Modify the locked.properties file and add these lines:
   
   
   • pkcs key: keyfile=keys.p12
            keypass=secret
   • jks key: storetype=jks
            keyfile=keys.jks
            keypass=secret
     
     Note: storetype is required if using a type other than pkcs.
     
     
6. Restart the View Security Service.