This blog post is mostly for myself so i can remember how to do this next time so i don’t have to spend 2 hours trying to find the information needed once more. If i just did more Horizon View implementations i guess i would know this by heart but honestly and as you might understand if you follow my blog that is not the most common task i do.
This applies to VMware Horizon View 6.0.1 and vSphere 5.5 U2
I’ll describe the steps i took during my last Horizon View implementation to create certificate request file and then import the certificate to the Horizon View Connection Servers and to the Horizon Composer Server.
- Run the following command from a cmd promo started as an administrator to generate the certificate request file,
“certreq -new request.inf certreq.txt”
The request.inf file contained the following information.
Don’t forget the exportable set to true and FriendlyName set to vdm
;—————– request.inf —————–
[Version]
Signature=”$Windows NT$
[NewRequest]
Subject = “vdi.vcdx56.com, OU=vcdx56 IT, O=VCDX56, L=Kumla, S=Nerike, C=Sweden”
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
FriendlyName = vdm
KeyUsage = 0xa0
[RequestAttributes]
SAN=”dns=vdi.vcdx56.com&dns=viewcs01.vcdx56.com&dns=viewcs02.vcdx56.com&dns=viewcomp01.vcdx56.com”
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;———————————————– - Send the certreq.txt file to the internal or CA responsible or use it to request and external certificate. In my case, the customer had an internal CA so i send the certificate to that team.
- Receive the certificate from the certificate authoritative (CA)
- Implement the certificate to the local balancer.
- Connection server 1
- Import the certificate via the MMC using the following procedure:
- Start Microsoft Certificates MMC Snap-In for the computer account.
- Navigate to Certificates (Local Computer) > Personal > Certificates.
- Right-click and select Import ->
- Select the certificate file ->
- Place the certificate in the Personal certificate store ->
- Finish
- Export the certificate via the MMC using the following procedure:
- Start Microsoft Certificates MMC Snap-In for the computer account.
- Navigate to Certificates (Local Computer) > Personal > Certificates.
- Right-click the certificate that you want to export ->
- All Tasks > Export ->
- On the Welcome screen ->
- Select Yes, to export the private key ->
Important: If you are not able to expert the private key, reboot the Windows machine so you got the Key over the certificate - Select Personal Information Exchange – PKCS #12 (.PFX) and click the check box include all certificates in the certification path if possible ->
- Enter password for private key ->
- Enter file name and location ->
- Next ->
- Finish.
- Import the newly create PFX file using the Import certificate option in MMC
- Type password, Select Mark this key as exportable file via MMC
- Remove the friendly name VDM from the original certificate created during the installation
- Restart the Horizon View service or VM (i restarted the VM)
- Import the certificate via the MMC using the following procedure:
- Connection server 2
- Import the PFX file via MMC
- Remove the friendly name from the original certificate created during the installation
- Restart the service or VM (i restarted the VM)
- Composer Server
- Import the PFX file via MMC
- Remove the friendly name from the original certificate created during the installation
- Restart the service or VM (i restarted the VM)
- Stop the “VMware Horizon View Composer” Windows service
- Start a cmd window as Administrator
- go to directory where sviconfig.exe is located. In my case, C:\Program Files (x86)\VMware\VMware View Composer
- Run the command “sviconfig -operation=ReplaceCertificate -delete=false” ->
- Select the newly imported certificate ->
- Restart the service or VM (i restarted the VM)
I know there are other alternatives but at least this procedure worked just fine for me.