To generate and import an SSL certificate on the View Connection Server:
Notes:
- Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
- Information appearing within
represents variable information. Do not include the brackets when typing commands.
- Add keytool to the system path:
- In your View Connection Server or Security Server host, right-click My Computer and click Properties.
- Click the Advanced tab.
- Click Environment Variables.
- In the System variables group, select Path and click Edit.
- Type the path to the JRE directory in the Variable Value text box. For example,
\VMware\VMware View\Server\jre\bin .
Note: Use a semicolon (;) to separate each entry from the other entries in the text box.
- Generate a Keystore and Certificate:
- Open a command prompt and run this command using keytool to generate a Keystore file:keytool -genkey -keyalg "RSA" -keystore
-storetype pkcs12 -validity 360 To generate a 2048-bit key, run this command:keytool -genkey -keyalg "RSA" -keystore-storetype pkcs12 -validity 360 -keysize 2048 - When keytool prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
- Enter all other information to complete the keystore file.
- After keytool creates the Keystore file in the current directory, back up the file.
- Open a command prompt and run this command using keytool to generate a Keystore file:keytool -genkey -keyalg "RSA" -keystore
- Obtain a Signed Certificate from a CA:
- Open a command prompt and run this command using keytool to create a CSR:keytool -certreq -keyalg "RSA" -file
-keystore Notes:-storetype pkcs12 -storepass - keytool creates the CSR file in the current directory.
- The keystore password must be at least 6 characters and cannot be left blank.
- Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS#format.
Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format. Some vendors may use type rather than file type. In this case request a Tomcat certificate.
To convert a PKCS#12 certificate to PKCS#7 format:- Open the certificate file in Internet Explorer.Note: Verify that the certificate chain is complete, including root and intermediate certificates.
- In the Details tab, click Copy to File. The Certificate Export wizard appears.
- Specify PKCS#7 format, include all certificates in the certification path, and then click Next.
- Specify a filename and click Next.
- Click Finish to export the file in PKCS#7 format. The file is saved with a .P7B extension.
- Open the certificate file in Internet Explorer.
- Open a command prompt and run this command using keytool to create a CSR:keytool -certreq -keyalg "RSA" -file
- Import the Signed Certificate into a Keystore file.
To import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:keytool -import -keystore-storetype pkcs12 -storepass -keyalg "RSA" -trustcacerts -file
Note: The storepass must be the same password that was used to generate the CSR in step 3. - Configure the View Security Server to use the new certificate:
- Copy the Keystore file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or security server host. For example, install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12.
- Add the keyfile and keypass properties to the locked.properties file in the SSL gateway configuration directory on the View Connection Server or security server host.
Note: If the locked.properties file does not exist, you must create it. - Set the keyfile property to the name of your Keystore file.
- Set the keypass property to the password for your Keystore file. For example:keyfile=keys.p12
keypass=MY_PASS
- Restart the View Connection Server service or Security Server service for the changes take effect.
- Ensure that the certificate is being used by checking the debug log on the server.
Source: Original Article