Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Troubleshooting SSL certificate issues in VMware Horizon View 5.1 and later (2082408)

Symptoms

  • You receive warning messages in the View Admin Dashboard related to SSL certificates.
  • You cannot open the View Admin page.
  • The Connection Server shows a red alert in the Dashboard.
  • Connecting with a View Client returns an error message saying the Certificate is untrusted.

Purpose

This article provides troubleshooting steps and identifies common issues with SSL certificates.

Note: The information in this article is also suitable for Security Servers.

Resolution

Common SSL configuration issues

  • Confirming the private key configuration

    If the Private Key is not exportable, you will experience certificate issues. The only exception to this is when using the Default Certificate that comes with the install.

    To confirm the private key is marked as exportable:

    1. In the Connection Server, click Start, type mmc, and click OK.
    2. Click File > Add/Remove Snap-in.
    3. Click Certificates and click Add.
    4. Click Computer account and click Next.
    5. Click Local computer and click Finish > OK.
    6. Expand Certificates (Local Computer).
    7. Expand Personal.
    8. Expand Certificates.
    9. Identify the Certificate in use.
    10. Double-click the Certificate. On the General page you see the You have a private key that corresponds to this certificate message.
    11. Click the Details tab and click Copy to File.
    12. Click Next in the pop-up window.
    13. You see two options in the next page:

      • Yes, export the private key
      • No, do not export the private key

      If Yes, export the private Key is grayed out, the Private Key is not exportable.

    If the key is not exportable, you must import the certificate again ensuring that you mark the private key as exportable. For more information, see the Import a Signed Server Certificate into a Windows Certificate Store section in the VMware View Installation guide.

  • The Friendly Name is incorrect

    The Friendly Name is case sensitive and must be set to vdm.

    To confirm the friendly name:

    1. In the Connection Server, click Start, type mmc, and click OK.
    2. Click File > Add/Remove Snap-in.
    3. Click Certificates and click Add.
    4. Click Computer account and click Next.
    5. Click Local computer and click Finish > OK.
    6. Expand Certificates (Local Computer).
    7. Expand Personal.
    8. Expand Certificates.
    9. Identify the Certificate in use.
    10. Locate the Friendly Name column.
    11. Verify that the Friendly Name is vdm (all lower case).

    If the friendly name is incorrect, or not configured, edit the name by right-clicking the certificate, and configure the friendly name correctly. Click OK to confirm, and restart the Services to use the new configuration.

    Note: When changing the certificate, ensure that only the correct certificate has the vdm friendly name because only one certificate should have the vdm friendly name.

  • Misconfigured Wildcard Certificate

    Wildcard Certificates require special configuration. If you are setting a wildcard for abc.def.mydomain.com, your wildcard certificate must be *.*.mydomain.com. Similarly, if you have abc.mydomain.com, your wildcard certificate must be *.mydomain.com. You must include the wildcard symbol for every prefix.

    If the certificate has been created incorrectly, contact your certificate provider to correct the configuration.
  • Generating or renewing SSL Certificates

Troubleshooting SSL configuration

  1. Ensure that the Common Name or Subject Alternative Name  of the certificate is correct. If the name is not correct, contact your certificate provider to correct the configuration.

    A certificate will have a Common Name and may also have Subject Alternative Name(s). The certificate is valid for all of the names listed. The name should match the URL the user types in the Client or browser to connect, and it should also match the External URL configured  in the Connection Server or Security server where the certificate is installed.

  2. When requesting new Certificates, ensure that you use Windows Server 2003 Certificate template option.

    When requesting a certificate from an internal Active Directory Certificate Authoring, use the Windows 2003 Certificate template. If requesting a certification from external surce or getting an internal certificate from  a non-Windows device, VMware recommends to use the certreq command. For more information, see Generating and importing a signed SSL certificate into VMware Horizon View 5.1/5.2/5.3 using Microsoft Certreq (2032400).

  3. Ensure the Full Certificate Chain is installed.

    Custom certificates that are provided by external or internal sources generally are multi-part entities. In addition to the Host Certificate (the certificate with the name of the URL that users are going to use to connect) there will be a root and possibly an intermediate certificate. To be valid, the complete chain of certificates must be available on the Connection Server or Security Server. Opening the certificate in the Microsoft MMC allows to see the certificate chain. The intermediate and root certificate of common Certificate Authority are already installed in Windows machines. If the certificate is from an internal Active Directory Server, the root certificate is installed automatically when the Connection Server is joined to the domain.

  4. Ensure the client device has the root and intermediate certificates installed.

    If an internal certificate from the Active Directory domain is in use, ensuring that the Client is attached to the Active Directory domain will install the Root Certificate. If the device is not a member of the domain, or if it is a zero client or Linux client, the root certificate must be manually installed.

  5. To import a certificate from a different server, see Importing a View 5.0 or earlier Connection Server SSL certificate to a View 5.x Connection Server (2051560).

  6. If you see the Server's certificate cannot be checked error in the Dashboard, see Administration dashboard in VMware Horizon View 5.1/5.2/5.3 reports the error: Server's certificate cannot be checked (2000063).

  7. For thumbprint errors during provisioning, see Provisioning VMware Horizon View linked clone pools fail and report the error: Validation fails due to null thumbprint (2071023).

Additional Information

For more information on Horizon View Certificates, see Obtaining SSL Certificates for VMware Horizon View Servers Guide.

To change the SSL certificate for View Composer using sviconfig, see the Bind a New SSL Certificate to the Port Used by View Composer section in the View Installation Guide.

For SSL issues occurring in View related to vCenter Server, see View Admin dashboard for vCenter Server 5.1 displays the message: VC service is not working properly (2050369) and AD users with customized UPN user names cannot log into vCenter Server after upgrade to vSphere 5.1.b (2044150).


To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 4 Ratings
Actions
KB: