Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Guidelines for generating and importing an SSL certificate for the View Connection Server for View 5.0.1 and earlier (1008705)

Details

Note: VMware recommends that you follow the instructions in the VMware View Installation document, which contains the most up-to-date information on this subject.

When installing a new SSL certificate on the View Connection Server, you experience these symptoms:
  • You are unable to import an SSL certificate for the View Connection Server
  • Importing an SSL certificate for the View Connection Server fails
  • You see this error:

    keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

Solution

Note: This process only applies to VMware View versions 5.0.1 and earlier. For information on Configuring SSL Certificates in View 5.1, see the View Installation Guide and Using Microsoft Certreq to generate and import a signed certificate into Horizon View 5.1 or later (2032400).

To generate and import an SSL certificate on the View Connection Server:

Notes:
  • Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
  • Information appearing within <brackets> represents variable information. Do not include the brackets when typing commands.
  • View Manager 5.x supports pkcs and jks store types. Ensure you use the appropriate command based on the keystore type.
  1. Add keytool to the system path:

    1. In your View Connection Server or Security Server host, right-click My Computer and click Properties.
    2. Click the Advanced tab.
    3. Click Environment Variables.
    4. In the System variables group, select Path and click Edit.
    5. Type the path to the JRE directory in the Variable Value text box. For example:

      install_directory\VMware\VMware View\Server\jre\bin

      Note: Use a semicolon (;) to separate each entry from the other entries in the text box.

  2. Generate a keystore and Certificate:

    1. Open a command prompt and run the keytool command to generate a keystore file using the appropriate arguments for your key type:

      • pkcs key:

        keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360

      • 2048-bit pkcs key:

        keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048

      • jks key:

        keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore keys.jks -storepass secret

    2. When the keytool command prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
    3. You are prompted for a password for JKS keystores. Use the same password used in the keytool command.
    4. Enter all other information to complete the keystore file. After the keytool command creates the keystore file in the current directory, create a backup of the file.

  3. Obtain a Signed Certificate from a CA:

    1. Open a command prompt and run the keytool command to create a CSR using the appropriate arguments for your key type:

      • pkcs key:

        keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass secret

      • jks key:

        keytool -certreq -file certificate.csr -keystore keys.jks -storepass secret

        Notes:
        • The keytool command creates the CSR file in the current directory.
        • The keystore password must be at least 6 characters and cannot be left blank.

    2. Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS# format.

      Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format. Some vendors may use type rather than file type. In this case, request a Tomcat certificate.

      To convert a PKCS#12 certificate to PKCS#7 format:

      1. Open the certificate file in Internet Explorer.

        Note: Verify that the certificate chain is complete, including root and intermediate certificates.

      2. In the Details tab, click Copy to File. The Certificate Export wizard appears.
      3. Specify PKCS#7 format, include all certificates in the certification path, then click Next.
      4. Specify a filename and click Next.
      5. Click Finish to export the file in PKCS#7 format. The file is saved with a .P7B extension.

      Note: If you used these steps to convert the certificate, use certificate.p7b instead of certificate.p7 with the keytool commands in the steps below.

  4. Import the Signed Certificate into a keystore file.

    To import the Signed Certificate into a keystore file, open a command prompt and and run the keytool command using the appropriate arguments for your key type:

    • pkcs key:

      If the certificate is from a third-party with a root and intermediate certificate, all three certificates may need to be imported to the keystore.

      Note: If there are no root or intermediate certificates, skip the first two commands.

      To import the certificates to the keystore, run these commands:

      keytool -import -keystore keys.p12 -storepass secret -alias rootCA -file rootCA.p7

      keytool -import -keystore keys.p12 -storepass secret -trustcacerts -alias intermediateCA -file intermediateCA.p7

      keytool -import -keystore keys.p12 -storetype pkcs12 -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

    • jks key:

      If the certificate is from a third-party with a root and intermediate certificate, all three certificates may need to be imported to the keystore.

      Note: If there are no root or intermediate certificates, skip the first two commands.

      To import the certificates to the keystore, run these commands:

      keytool -importcert -keystore keys.jks -storepass secret -alias rootCA -file rootCA.p7

      keytool -importcert -keystore keys.jks -storepass secret -trustcacerts -alias intermediateCA -file intermediateCA.p7

      keytool -importcert -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts –file certificate.p7

      Note: The storepass must be the same password that was used to generate the CSR in step 3.

    • Creating a pfx file (alternative method):

      Your server certificate (including the root and intermediate certificates) can be imported to Windows Certificate Store using MMC and then exported as an .PFX formatted file (filename.pfx) that can be used in the next step on any VDI server or security server that requires the certificate.

      For instructions to import or export a server certificate, see the Microsoft Knowledge Base articles 232137 and 232136.

      Note: The preceding links were correct as of December 17, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.

  5. Configure the View Connection Server or Security Server to use the new certificate:

    1. Copy the keystore file or the .PFX file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or Security Server host. For example:

      install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12

      or

      install_directory\VMware\VMware View\Server\sslgateway\conf\filename.pfx

    2. Add the keyfile and keypass properties to the locked.properties file in the SSL gateway configuration directory on the View Connection Server or Security Server host.

      Note: If the locked.properties file does not exist, you must create it.

    3. Set the keyfile property to the name of your keystore file, using the appropriate file type.
    4. Set the keypass property to the password for your keystore file. For example:

      • pkcs key:

        keyfile=keys.p12
        keypass=secret


        Note: The keyfile property value could also be filename.pfx if you imported the certificate to a .pfx file as explained step 4.

      • jks key:

        storetype=jks
        keyfile=keys.jks
        keypass=secret


  6. Restart the View Connection Server or Security Server for the changes to take effect.
  7. Ensure that the certificate is being used by checking the debug log on the server. For more information, see Location of VMware View log files (1027744).

    Look for lines similar to:

    INFO <Thread-1> [q] The Secure Gateway Server is using SSL certificate store keys.p12 with password of 9 characters
    INFO <Thread-1> [q] The Secure Gateway Server is listening on https://*:443

To configure another Security Server:

Note: These instructions only apply to the file types in the example. For more information, see Configuring SSL certificates for View Servers in the VMware View Documentation.

  1. Copy the keyfile and certificate.p7 files to the C: drive root on the additional server.

    Note: Ensure that you copy the keyfile and the certificate.p7 files before you import the certificate to the keyfile usng the keytool -import command.

  2. Set the environment path for the keytool command to:

    C:\Program Files\VMware\VMware View\Server\jre\bin

  3. Import the certificate by running the keytool command using the appropriate arguments for your key type:

    • pkcs key:

      keytool -import -keystore keys.p12 -storetype pkcs12 -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

    • jks key:

      keytool -import -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

  4. Copy the keyfile to:

    C:\Program Files\VMware\VMware View\Server\sslgateway\conf

  5. Add these lines to the locked.properties file:

    • pkcs key:

      keyfile=keys.p12
      keypass=secret


    • jks key:

      storetype=jkskeyfile=keys.jkskeypass=secret

    Note: storetype is required if using a type other than pkcs.

  6. Restart the View Security Service.

Additional Information

Note: VMware does not endorse or recommend any particular third-party utility, nor is the list above meant to be exhaustive.

This Article Replaces

1021667

Update History

12/17/2013 - Cleaned up formatting and wording for clarity

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 40 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 40 Ratings
Actions
KB: