VMware View Manager (Connection and Security servers) ships with a self-signed SSL certificate that can be used by clients when creating secure sessions to View desktops. However, there are many reasons why one should not use a self-signed SSL certificates, but probably none more than the lack of security controls with this type of certificate. In this article, we will describe the steps necessary to replace the default self-signed SSL certificate with either a third party Certificate Authority (CA) or your very own internal CA.
For clients that will access View via the Internet, you should consider purchasing a certificate from an external CA such as Thawte or Entrust. A third party CA will ensure the site your clients believe to be yours, is in-fact genuine and not a impostor posing to be you. Further more, it will save us the additional configurations necessary for thin clients to work with a self-signed certificate - and we would hate to do anymore work than absolutely necessary.
If your clients only access to View is from a non-Internet facing internal network, you might opt to use a internal CA. So as long as your clients can communicate with both your internal CA and the View server, there is no need to purchase a certificate from a third party.
Among other things, the web browser uses the Common Name or CN of both the issuer and issue to verify the identify of the web server to which it is communicating. If everything verifies, your browser knows the certificate is valid, and you'll never see this message. But if any of the details differ between the issuer and the certificate, your browser will provide you with an alert.
As we can see in the following image, the certificate presented to our browser shows that it was issued by “VMware VDM” and was issued to “VMware VDM”:
This is of no help to us because not only does the CN of “VMware VDM” not match the host-name of our View Security server (which is view.tcpdump.com in our example) but the issuer, VMware VDM, is not listed in our browsers trusted root certificate authorities.
Until we correct these issues, we will continue to receive these notices unless suppressed by the configuration of our browser, or we install a valid certificate. In the following pages, we will install a new new certificate, but before we can do so, we must configure our system's environment.
View Manager includes a tool that can generate a certificate signing request (CSR) called keytool. Using keytool, we can access the SSL keyring installed within View Manager and create, edit or delete the SSL keys used by our web server.
If you used the default install path for your Security and Connection server deployments, you will find keytool.exe located in the following path:'C:\Program Files\VMware\VMware View\Server\jre\bin'
We begin by adding the location (or the path in which you installed View) to our system's environment PATH variable within Windows:
Click Start » Settings » Control Panel
Double click on the System icon Under the Advanced tab, click 'Environment Variables'
Highlight the Path variable and click edit. Append the following to 'Variable value':
';C:\Program Files\VMware\VMware View\Server\jre\bin'
Click through the remaining screens selecting the 'OK' option until the changes have been saved.
Creating a certificate signing request file
A certificate signing request or CSR, is a file created by a web server that is sent to a certificate authority (CA) to enroll for a SSL certificate. We will use a public key infrastructure (PKI) to generate a key pair that will store the private part of our key within View's keystore. We will then provide the public key to our CA so that it may provide a SSL certificate (that has been digitally signed using the private key of the CA) that can then be configured with View.
Before we can generate a CSR file, we must first create a keystore to store our certificate. We will use the keytool to create this keystore:
Open the command prompt on your View server:
Start » Run » CMD
Change directory to:'C:\Program Files\VMware\VMware View\Server\sslgateway\conf'
C:\Documents and Settings\Administrator>cd \ C:\>cd “C:\Program Files\VMware\VMware View\Server\sslgateway\conf”
C:\Program Files\VMware\VMware View\Server\sslgateway\conf>
Run the following command:
'keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360'
C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360
You will be asked to enter a keystore password. It is important this password never be lost. If you loose this password, you will loose the ability to manage your keystore which will eventually require that you recreate a new keystore and certificate.
Enter keystore password: MY_PASSWORD
When asked for your first and last name, enter the fully qualified domain name FQDN of your View server.
DO NOT enter your name or the certificate you create will be invalid:
What is your first and last name?[Unknown]: view.tcpdump.com
- Answer the remaining questions to complete the creation of the keystore
What is the name of your organizational unit?[Unknown]: IT
What is the name of your organization?[Unknown]: TCPDump
What is the name of your City or Locality?[Unknown]: Phoenixville
What is the name of your State or Province?[Unknown]: PA
What is the two-letter country code for this unit?[Unknown]: US
Is CN=view.tcpdump.com, OU=IT, O=TCPDump, L=Phoenixville, ST=PA, C=US correct?[no]: yes
Enter key password for (RETURN if same as keystore password)
We are now ready to create the certificate signing request. We will continue with the use of the keytool:
From the command prompt, enter the following:
'keytool -certreq -keyalg “RSA” -file certificate.csr -keystore keys.p12 -storetype pkcs12'
C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -certreq -keyalg “RSA” -file certificate.csr -keystore keys.p12 -storetype pkcs12
Enter keystore password: MY_PASSWORD
- This will create a file called 'certificate.csr' in your working
directory. You may now submit the 'certificate.csr' to a CA in
accordance with their enrollment process requesting a certificate in
If you would like to tryout a temporary certificate from a untrusted
root, both Thawte and Verisign offer free trials where you can try
before you buy:
Thawte - https://www.thawte.com/cgi/server/try.exe
VeriSign - https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=5191
Once you have your new certificate in PKCS7 format, we will continue with the keytool to import the certificate into View's keystore:
Copy the text file containing the CA issued key to the directory that contains your keystore. In our example, this is:
'C:\Program Files\VMware\VMware View\Server\sslgateway\'
- From the command prompt, enter the following replacing with the file name of your certificate:
'keytool -import -keystore keys.p12 -storetype pkcs12 -keyalg “RSA” -trustcacerts -file '
View\Server\sslgateway\conf>keytool -import -keystore keys.p12
-storetype pkcs12 -keyalg “RSA” -trustcacerts -file thwat_test_key.p7
- You will be asked to provide the password to your keystore:
Enter keystore password: MY_PASSWORD
- After providing the correct password, you will see an informational
screen similar to the below with details about your certificate and the
Top-level certificate in reply:
Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
Serial number: 0
Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
- If you used a test certificate, as we did in the example above, you will
receive an additional prompt that the issuer is not trusted. Answer
this question with a 'yes' or 'y':
… is not trusted. Install reply anyway? [no]: y
- If everything worked, you should see a message indicating that the certificate was added to the keystore:
Certificate reply was installed in keystore
For the final part of our configuration, we must tell View to use the new cert. We do this by editing the locked.properties file:
If the locked.properties file does not exist, create it. If the file already exists, edit it:
'C:\Program Files\VMware\View Manager\Server\sslgateway\conf\locked.properties'
C:\Program Files\VMware\VMware View\Server\sslgateway\conf>notepad locked.properties
- Add the following to the file replacing with your keystore's password:
- Save the locked.properties file and exit notepad.
- Restart the View Connection Server service.
- If working from the Security Server:
C:\>net stop “VMware View Security Server”
The VMware View Security Server service is stopping..
The VMware View Security Server service was stopped successfully.
C:\>net start “VMware View Security Server”
The VMware View Security Server service is starting.
The VMware View Security Server service was started successfully.
If working from the Connection Server:
C:\>net stop “VMware View Connection Server”
The VMware View Connection Server service is stopping….
The VMware View Connection Server service was stopped successfully.
C:\>net start “VMware View Connection Server”
The VMware View Connection Server service is starting.
The VMware View Connection Server service was started successfully.
Using your web browser, navigate to your View Manager server and test out your new certificate!