Thursday, March 8, 2012

HOWTO: Generate and import an SSL certificate on VMware View Connection Server

To generate and import an SSL certificate on the View Connection Server:
  • Certificates are required only for client-facing systems, such as Standard, Replica, or Security servers.
  • Information appearing within represents variable information. Do not include the brackets when typing commands.
  1. Add keytool to the system path:
    1. In your View Connection Server or Security Server host, right-click My Computer and click Properties.
    2. Click the Advanced tab.
    3. Click Environment Variables.
    4. In the System variables group, select Path and click Edit.
    5. Type the path to the JRE directory in the Variable Value text box. For example,\VMware\VMware View\Server\jre\bin.

      Note: Use a semicolon (;) to separate each entry from the other entries in the text box.
  2. Generate a Keystore and Certificate:
    1. Open a command prompt and run this command using keytool to generate a Keystore file:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360To generate a 2048-bit key, run this command:keytool -genkey -keyalg "RSA" -keystore -storetype pkcs12 -validity 360 -keysize 2048
    2. When keytool prompts you for the first and last name, type the fully qualified domain name (FQDN) that the client computers use to connect to the host.
    3. Enter all other information to complete the keystore file.
    4. After keytool creates the Keystore file in the current directory, back up the file.
  3. Obtain a Signed Certificate from a CA:
    1. Open a command prompt and run this command using keytool to create a CSR:keytool -certreq -keyalg "RSA" -file -keystore -storetype pkcs12 -storepass
      • keytool creates the CSR file in the current directory.
      • The keystore password must be at least 6 characters and cannot be left blank.
    2. Send the CSR to the CA according to the CA's enrollment process and request a certificate in PKCS#format.

      Some CAs provide certificates only in PKCS#12 format. If you download a certificate in the PKCS#12 format, you must convert it to PKCS#7 format.  Some vendors may use type rather than file type.  In this case request a Tomcat certificate.

      To convert a PKCS#12 certificate to PKCS#7 format:
      1. Open the certificate file in Internet Explorer.

        Note: Verify that the certificate chain is complete, including root and intermediate certificates.
      2. In the Details tab, click Copy to File. The Certificate Export wizard appears.
      3. Specify PKCS#7 format, include all certificates in the certification path, and then click Next.
      4. Specify a filename and click Next.
      5. Click Finish to export the file in PKCS#7 format. The file is saved with a .P7B extension.
  4. Import the Signed Certificate into a Keystore file.

    To import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:
    keytool -import -keystore -storetype pkcs12 -storepass -keyalg "RSA" -trustcacerts -file

    Note: The storepass must be the same password that was used to generate the CSR in step 3.
  5. Configure the View Security Server to use the new certificate:
    1. Copy the Keystore file that contains your certificate to the SSL gateway configuration directory on the View Connection Server or security server host. For example, install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12.
    2. Add the keyfile and keypass properties to the file in the SSL gateway configuration directory on the View Connection Server or security server host.

      Note: If the file does not exist, you must create it.
    3. Set the keyfile property to the name of your Keystore file.
    4. Set the keypass property to the password for your Keystore file. For example:keyfile=keys.p12
  6. Restart the View Connection Server service or Security Server service for the changes take effect.
  7. Ensure that the certificate is being used by checking the debug log on the server.

No comments: