Deploying wildcard SSL certificate for VMware Horizon 6

Quick notes on how to deploy a wildcard SSL certificate with VMware Horizon 6 setup. In my case there is one Connection server and one Security server, both running Windows 2012 R2 Server OS. We also own a wildcard certificate covering our public domain, say domain.org.

First, we had to convert our certificate from DER to PFX format, so it could be imported into Windows SSL Certificate store.

openssl pkcs12 -export -out star_domain_org_for_MS.pfx -inkey star_domain_org.key -in star_domain_org.crt -certfile CACert.crt -name "some_meaningful_name"

Where CACert.crt could be obtained from your CA.

Once you get your certificate in PFX format copy it to VMware Connection and Security servers. Log in to the Connection server, launch Microsoft Management Console and add Certificates snap-in (Computer account > Local computer).

Go to Certificates (Local Computer) > Personal > Certificates and delete existing, self-signed VM certificate which should have been generated during the software installation. Right-click on Certificates > Import and feed it with your PFX file. Once done, double-click on it and make sure that “You have a private key that corresponds to this certificate” is there. Then right-click the certificate, go to Properties and modify Friendly name field to vdm.

I also had to import my intermediate certificate from the CA (Certificates (Local Computer) > Intermediate Certification Authorities > Certificates > Import).

Once this is all done restart the Connection server and repeat the same procedure on the Security server (restart it as well).

[UPDATE:20150717] : you will still see yellow (alert) sign in front of your Connection server (Connection Server certificate is not trusted). The fix is to either allow Connection servers to access Internet over http/s so the URL in the Certificate Revocation List could be checked, or add a registry key on each Connection server:

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Security]
"CertificateRevocationCheckType"="1"

Finally, below are two screenshots taken from the VMware Horizon View Administrator:

2015071701

2015071702

192.168.1.14 is the public IP address of the Security server and demo.domain.org resolves to 192.168.1.14.

Tags: , , , , , ,

Leave a Reply