There are a number of ways to request and mint SSL certificates. You could use a commercial CA, Microsoft internal CA or another flavor of CA if you wish. Unlike some vCenter components the View SSL certificate does not need any unusual properties beyond Server Authentication usage. No unique OU properties, no client authentication, no data encryption, etc. I would advise using a SAN certificate, so you can access the server via shortname and the FQDN without certificate errors.
I am using an Enterprise online Windows Server 2012 Certificate Authority in this example. The CA has been pre-configured to issue a variety of certificate template types, one of which I called "Server Authentication-SAN". You don't need a template with this name, but the template needs to support the SAN field, which the basic "computer" template will NOT.
1. On the View server open a blank MMC. Add the Certificates snap-in and chose Computer account.
2. Open the Personal certificates container and expand Certificates. Depending on the auto-enrollment policy (if any) in your domain, you may find two or more certificates listed. One of the certificates will be the self-signed VMware certificate that we no longer want to use. You can see this by looking at the "Issued By" field.
3. Now we want to request a new certificate from our online CA via a the certificate request wizard. Right click on Certificates, select All Tasks, then Request New certificate.
4. A couple of clicks into the wizard you should see an Active Directory Enrollment Policy listed.
5. Click Next and you should now see one or more templates that your CA administrator has published. If you use the standard "Computer" template the CA will strip any SAN values that you enter. So if you want a SAN certificate you will need to use a CA template that allows for such usage. Since SAN certificate are not uncommon, I already had a certificate template ready.
6. Check the box next to your SAN template. Click on the line of text next to the yellow warning. On the Subject tab you now need to configure the "Common name" for the subject name and add two "DNS" alternative names. Use the View server FQDN for the Subject Name and add both the FQDN and short name DNS names for the alternative name, as shown below.
7. Click on the General tab and enter a friendly name of vdm.
8. Click on the Private Key tab and under Key Options allow the private key to be exportable.
9. Click OK then click on Enroll. If all goes well you should get a succeeded message.
10. In the MMC double click on the new certificate and validate all properties, including Subject Alternative Name are properly populated.
11. At this point you can either delete the self-signed VMware certificate, OR you must remove the vdm friendly name from the VMware certificate. View looks for a single certificate with the vdm friendly name. To remove the VDM friendly name from the VMware certificate just right click on the VMware certificate and select Properties, then delete the friendly name.
12. Restart all of the View services on your View server. The critical one is the VMware View Security Gateway Component. If it stops running shortly after you start it, there's a problem with your certificate. The most common cause is having a certificate that does NOT allow exporting of the private key. You may see something like:
13. Now you can launch the View administrator and change the URL to either the server's short name or FQDN, and you should NOT see any browser SSL errors.
14. Once you login you can click on the Dashboard icon on the left and view the server details for your connection server. It should show a valid SSL certificate.
Congratulations on configuring your View Connection Server SSL certificate. Very easy, and straight forward (vCenter team are you listening?). Next up is Part 3, where configure basic parameters in the View Connection Server.
Any reason why I am still getting an "Identity not verified" on the certificate when I use the short name URL on my laptop? From the Connection server, it works fine. Any help is appreciated.
ReplyDeleteHi Derek!
ReplyDeleteI'm trying to do the certificate enrollment but it does not have the Server Authentication-SAN template. How did you do? The only available is Computer and if I click "show all templates" the are a lot of other templates but all of them appear as "unavailable". Can you help?