Recently I had to configure a View Security Server with a wildcard certificate. For me this was a first, and it cost me quite a bit of time. I also found the documentation on it (in the View Admin guide) fairly minimal, so I'll share my experiences here.
The Certificate Issues
My scenario: I was given a wildcard certificate in .cer format, and a separate keyfile, in .key format. As these are not the right format for View (what I needed is .Pfx,this is stated in the Admin guide), I combined them using Openssl. The version I used is from the GNUWin32 utilities at gnuwin32.sourceforge.net. The command I used for this was:
openssl.exe pkcs12 -export -out secure.website.com.pfx -inkey keyfile.key -in star_website.crt
This created the secure.website.com.pfx. I imported this in certmgr.msc (MS Certificate Manager) to check it's status. The Certificate Manager tells me it's not able to verify this certificate. I discovered that the certificate is signed by Digicert. On Digicert's website I find their root certificates, at: http://www.digicert.com/digicert-root-certificates.htm. I download and install their root certificates, but my problem remains. The problem turns out to be that my certificate is not signed by Digicert Global Root CA, but Digicert Global CA (without the Root). This certificate is not available for download from Digicert, but Google guides me to: http://www.digicert.com/CACerts/DigiCertGlobalCA.crt. This only leads to my next problem:
My original secure.website.com.crt was given to my in the following format:
-----BEGIN CERTIFICATE-----
MIIF2zCCBMOgAwIBAgIQDxsRAmWiSkaXgZmgHzKDBDANBgkqhkiG9w0BAQUFADBc
ro/jP6wKPNT5CSiVt85VY5R1cpJwWxxQjGeT10pMxPtXr4P/XbZzvTvmMvfb6M0f
mXjDaZPEaYg1cJHMLWJF
-----END CERTIFICATE-----
The new certificate I just downloaded (DigiCertGlobalCA.crt) is not. I now have to find this root certificate in the right format. Google again helps, and finds https://maven.atlassian.com/, which uses the certificate. In IE I than open the Securit Report (the lock) and click "View Certificate".
I go to Certification path, select Digicert Global CA, and "View Certificate. Next I choose Details, copy to file ("Copy to file" was at first greyed out in my browser, I had to turn off UAC in Windows 7..). Finally I choose "Base 64 X.509 .cer" as the format. This finally gives me the Digicert Global CA in the right format.
Checking the path I realize that this certificate is intermediate, and itself signed by Entrust.
Specifically: Entrust.net Secure Server Certification Authority. I can download this certificate in the right format from the Entrust.net website.
I now have three certificates:
- Secure.website.cer
- Digicert.cer
- Entrust.cer
I can now go back to openssl, and do:
openssl.exe pkcs12 -export -out secure.website.com.pfx -inkey keyfile.key -in combined.cer.
This works, and Cert Manager verifies this certificate is now OK.
On the Security Server
I copy the certificate to the security server, and place it in: C:\Program Files\VMware\View Manager\Server\sslgateway\confTo make sure, and I don't know if it's a necessary step, I add the Digicert and Entrust certificates to the VMware View (java) CA.
C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file digicert.cer -keystore cacerts (the password is changeit I found out..)
C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file entrust.cer -keystore cacerts
All this just to make sure that the certificate chain is OK on the Security Server.
I than edit locked.properties and added:
· keyfile=secure.website.com.pfx
· keypass=”your password used when creating the .pfx”
I restarted de View Connection service, and all was well!
It cost me a lot of time, and looking back on it, I just should have got a new certificate and followed the regular procedure. But it can be done.
M8RYZG3HPS9B
Important detail: It did not work for me until I removed the existing vdm.p12 file from the conf directory (View 5). I also used Firefox to convert the pfx to p12 format.
ReplyDeleteHi, thanks for adding your info. Please note that this post is quite old and was written for View 3. Now (2012) I'd look at Gunnar Berger's article here: http://communities.vmware.com/docs/DOC-18059
ReplyDelete-Poort
hi,
ReplyDeletethis article worked for me with view 4.6. make sure you use a new truststore.