Search the VMware Knowledge Base (KB)
View by Article ID

Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View (2032400)

  • 61 Ratings

Purpose

This article provides steps to generate a Certificate Signing Request (CSR) and import the certificate that can be obtained from a Certificate Authority (CA) using the generated CSR. The process outlined in this article ensures that the certificate has a private key associated with it, and that the private key is exportable so View can use it to encrypt traffic over HTTPS.

Notes:

Resolution

The Microsoft Certreq tool is available by default on a Windows Server 2008 R2 system. So a Certificate Signing Request (CSR) can be generated quickly.

Note: The preceding link was correct as of December 14, 2015. If you find the link is broken, provide feedback and a VMware employee will update the link.

Note: The tool uses a configuration file to generate a certificate request.

To create the configuration file

  1. Save the request.inf file (see the Attachments section at the end of this article).

    In the request.inf file, you see entries similar to:

    ;----------------- request.inf -----------------
    [Version]

    Signature= $Windows NT$

    [NewRequest]

    Subject = "CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; replace attributes in this line using example below
    KeySpec = 1
    KeyLength = 2048
    ; Can be 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    FriendlyName = vdm
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = Microsoft RSA SChannel Cryptographic Provider
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    [RequestAttributes]

    ; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require

    ;-----------------------------------------------

    Note: For SHA 2 or 256, add this line to cert request
    Hashalgorithm = sha256
     
  2. Open the file using a plain text editor and apply these changes:

    • Update the Subject attributes with appropriate values.

      For example:

      Subject = "CN=view.company.com, OU=Helpdesk, O=IT, L=Palo Alto, S=California, C=US

      Note: Some Certificate Authorities (CAs) do not allow the use of abbreviations for the State attribute.

    • Update the KeyLength attribute if necessary. The default of 2048 is adequate unless there is a specific need for a different length.
    • If you are using a Subject Alternative Name (SAN), uncomment the line and update the SAN attribute with the FQDN.

      For example:

      server.domain.com

  3. Save and close the file.

Generate a CSR using the configuration file

  1. Open a command prompt by right-clicking on cmd.exe and selecting Run as administrator.
  2. Change directory to the location where the request.inf file is saved.

    For example:

    cd C:\certificates

  3. Run this command to generate the CSR file:

    certreq -new request.inf certreq.txt

  4. Open the resulting certreq.txt CSR file in a text editor, copy the text of the file and submit it to your CA to obtain a signed certificate from your CA.

    Note: The CA provides a signed certificate, and also a root CA certificate and an intermediate CA certificate, if applicable. Different CAs have different lists of formats. When requesting the certificate from the CA, ensure to select an appropriate format similar to Apache, Tomcat, or IIS7.

  5. Save the certificate text to a new file named cert.cer on the Connection Server where the certificate request was generated.
  6. Save the root and intermediate CA certificates to files named root.cer and intermediate.cer on the Connection Server where the certificate request was generated.

Import the signed certificate

  1. To open a command, right-click cmd.exe and click Run as administrator.
  2. Change directory to the location where the signed certificate file cert.cer was saved.

    For example:

    cd C:\certificates

  3. Run this command to import the signed certificate:

    certreq -accept cert.cer

    After the import completes, the certificate is imported into the local machine's certificate store.

    Caution: At this point, change the friendly name of the default certificate to something that does not contain vdm, preferably leave the entry blank. If you do not change the name, you have two certificates with the same friendly name and, therefore, Horizon View loads one of these randomly and may choose the default certificate and not your newly signed certificate.

  4. To ensure that the new signed certificate is trusted, perform these steps:

Notes:

  • Restart the Connection Server service to load the new certificate. For more information, see Stopping, starting, or restarting VMware View services (1026026).
  • If you are running on VMware Horizon View 5.2, restart the VMware View Blast Secure Gateway service:

    1. Click Start > Run, type services.msc, and click OK. The Services window opens.
    2. Right-click on VMware View Blast Secure Gateway service.
    3. Click Restart.

  • Use lowercase when entering the name vdm, as it is case sensitive.
  • If you experience issues while starting the Connection Server service after installing new certificate, check the Connection Server logs for entries similar to:

    [KeyVaultKeyStore] No qualifying certificates in keystore


  • If you see preceding errors in logs, please review the steps and validate if the steps are followed correctly.

Additional Information

You can perform the steps described in the resolution section on the server requiring the certificate.

If this is not the server where you must install the certificate:
  1. Export the certificate from the server to a PFX-formatted certificate.

    To export the certificate from the server to a PFX-formatted certificate:
     
    1. Open the Microsoft Certificates MMC Snap-In for the computer account.
    2. Navigate to Certificates (Local Computer) > Personal > Certificates.
    3. Right-click on the required signed certificate to export.
    4. Click All Tasks > Export.
    5. On the Welcome screen, click Next.
    6. To export the private key, click Yes.
    7. If it is an option, click Include all certificates in the certification path.
    8. Enter a password for the private key. This is required to import the certificates.
    9. Enter a filename and location.

      For example, C:\certificates\certificate.pfx.

    10. Click Next.
    11. Click Finish.

  2. Import the certificate to the intended connection broker or security server.

    To import the certificate to the intended connection broker or security server:

    1. Open the Microsoft Certificates MMC Snap-In for the computer account. 
    2. Navigate to Certificates (Local Computer) > Personal > Certificates.
    3. Right-click the certificates.
    4. Click Import.
    5. Browse the pfx and click Next.
    6. Enter the certificate password.
    7. Select Mark the key as exportable.
    8. Click Next.
    9. Click Finish.

Note:  The Cryptographic provider must be 'Microsoft RSA SChannel Cryptographic Provider'. If Microsoft Software Key Storage Provider is selected, the certificate cannot be used.

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

Tags

view ssl Certificate

See Also

Update History

08/23/2012 - Added SAN attribute to request.inf file 09/17/2012 - Added country code needs two letter format 10/08/2012 - Added example of how Subject line should look like 10/23/2012 - Added request.inf as attachment to KB 11/06/2012 - Added FriendlyName="vdm" to request.inf 04/23/2013 - Added information regarding ease of use and export/import of pfx formatted certificates to Additional Information 06/10/2103 - Added the latest product release 06/18/2013 - Added notes on the Purpose section regarding the private key requirement. 06/18/2013 - Added notes on the Purpose section regarding the process needing to be performed on the same server. 06/18/2013 - Added notes on the resolution section, under "Generating a CSR using the configuration file" bullet 4, regarding IIS. 07/16/2013 - Modified note under "Generate a CSR using the configuration file"

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 61 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 61 Ratings
Actions
KB: