«

»

Horizon View certificate management

“VMTurbo"
This blog post is mostly for myself so i can remember how to do this next time so i don’t have to spend 2 hours trying to find the information needed once more. If i just did more Horizon View implementations i guess i would know this by heart but honestly and as you might understand if you follow my blog that is not the most common task i do.

This applies to VMware Horizon View 6.0.1 and vSphere 5.5 U2

I’ll describe the steps i took during my last Horizon View implementation to create certificate request file and then import the certificate to the Horizon View Connection Servers and to the Horizon Composer Server.

  • Run the following command from a cmd promo started as an administrator to generate the certificate request file,
    “certreq -new request.inf certreq.txt”
    The request.inf file contained the following information.
    Don’t forget the exportable set to true and FriendlyName set to vdm
    ;—————– request.inf —————–
    [Version]
    Signature=”$Windows NT$
    [NewRequest]
    Subject = “vdi.vcdx56.com, OU=vcdx56 IT, O=VCDX56, L=Kumla, S=Nerike, C=Sweden”
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
    ProviderType = 12
    RequestType = PKCS10
    FriendlyName = vdm
    KeyUsage = 0xa0
    [RequestAttributes]
    SAN=”dns=vdi.vcdx56.com&dns=viewcs01.vcdx56.com&dns=viewcs02.vcdx56.com&dns=viewcomp01.vcdx56.com”
    [EnhancedKeyUsageExtension]
    OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
    ;———————————————–
  • Send the certreq.txt file to the internal or CA responsible or use it to request and external certificate. In my case, the customer had an internal CA so i send the certificate to that team.
  • Receive the certificate from the certificate authoritative (CA)
  • Implement the certificate to the local balancer.
  • Connection server 1
    • Import the certificate via the MMC using the following procedure:
      • Start Microsoft Certificates MMC Snap-In for the computer account.
      • Navigate to Certificates (Local Computer) > Personal > Certificates.
      • Right-click and select Import ->
      • Select the certificate file ->
      • Place the certificate in the Personal certificate store ->
      • Finish
    • Export the certificate via the MMC using the following procedure:
      • Start Microsoft Certificates MMC Snap-In for the computer account.
      • Navigate to Certificates (Local Computer) > Personal > Certificates.
      • Right-click the certificate that you want to export ->
      • All Tasks > Export ->
      • On the Welcome screen ->
      • Select Yes, to export the private key ->
        Important: If you are not able to expert the private key, reboot the Windows machine so you got the Key over the certificate
      • Select Personal Information Exchange – PKCS #12 (.PFX) and click the check box include all certificates in the certification path if possible ->
      • Enter password for private key ->
      • Enter file name and location ->
      • Next ->
      • Finish.
    • Import the newly create PFX file using the Import certificate option in MMC
      • Type password, Select Mark this key as exportable file via MMC
    • Remove the friendly name VDM from the original certificate created during the installation
    • Restart the Horizon View service or VM (i restarted the VM)
  • Connection server 2
    • Import the PFX file via MMC
    • Remove the friendly name from the original certificate created during the installation
    • Restart the service or VM (i restarted the VM)
  • Composer Server
    • Import the PFX file via MMC
    • Remove the friendly name from the original certificate created during the installation
    • Restart the service or VM (i restarted the VM)
    • Stop the “VMware Horizon View Composer” Windows service
    • Start a cmd window as Administrator
      • go to directory where sviconfig.exe is located. In my case, C:\Program Files (x86)\VMware\VMware View Composer
      • Run the command “sviconfig -operation=ReplaceCertificate -delete=false” ->
      • Select the newly imported certificate ->
    • Restart the service or VM (i restarted the VM)

I know there are other alternatives but at least this procedure worked just fine for me.