certificate

Firefox does not trusts vCenter signed CA certificates

For a vCenter Server environment I replaced the default SSL certificates with CA signed SSL certificates. The Platform Service Controller (PSC) is configured as VMCA subordinate CA. When opening the vSphere Web/HTML5 Client, Firefox displays the following warning: Your connection is not secure.

This is because Firefox does not trust root certificates in the Windows certificate store. Since Firefox 49 a new option is included which allows Firefox to trust root certificates. This option is not enabled by default.

The following steps illustrate how to configure Firefox to use the Windows certificate store:

  • Open Firefox
  • In the address bar type: about:config
  • Accept the warning
  • Navigate to Preference name: security.enterprise_roots.enabled 
  • Set the value to:  true

Firefox now trust the root certificates in the Windows certificate store.

 

Create a VMware Horizon View self signed certificate with makecert

With the command line Windows utility “makecert.exe” it is possible to create quickly a self-signed (private) certificate that can be used with VMware Horizon View. Makecert is part of the Windows Software Deployment Kit (SDK)for Windows 7 and 8.  Below are the steps outlined to create a self-signed certificate using makecert.

  • The SDK can be downloaded here, link. Install the SDK and choose as feature to install “Windows Software Deployment”.
  • After the installation copy the makecert.* utility to the VMware View Connection server
  • Open a elevated command prompt
  • Create the self-signed root certificate, command: makecert -pe -n “CN=ViewRootCA” -ss root -sr LocalMachine -sky signature -r “ViewRootCA.cer”

image

  • Open certlm.msc and go to “Trusted Root Certification Authorities” and verify if the root certificate generated with makecert.exe exist. The root certificate can copied to all the servers and View Clients. If the clients are domain joined a Group Policy can be used to distribute the root certificate. More information can be found here, link.

image

  • Create a new self-signed certificate, command: makecert -pe -n “CN=viewcon02.beerens.local,cn=viewcon02” -ss my -sr LocalMachine -sky exchange -in “ViewRootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 viewcon02.cer

image

  • The certificate is added to the personal store of the local computer

image

  • Change the Friendly name of the newly created self-signed certificate to: vdm
  • Remove the already existing self-signed certificate

image

  • Restart the VMware View Connection Server service
  • In the System Health dashboard the Connection Server system health gets green

image

Create a signed certificate for VMware View Connection Servers using a Windows Server 2012 CA

For VMware Horizon View it is recommends that you configure your VMware View Horizon Servers with a signed SSL certificate. Default when you install a VMware View Horizon servers, a certificate is generated that is not signed by a CA. Because it is not signed by a CA It is possible to to intercept traffic. So it is highly recommend to replace the default certificate with a signed certificate after the installation.

In the VMware View Horizon Administrator dashboard you can see that the Connection Server does not have a valid signed certificate.

image

The following steps explains how-to create a signed certificate and replace the self-signed certificate on the VMware View Horizon Connection Server(s). As CA is a Windows Server 2012 Enterprise Certificate Authority used. The installation of this CA is not part of the steps! The VMware View Horizon Connection Server(s) are installed on Windows Server 2008 R2.

Steps on the Windows Server 2012 Certification Authority

  • Open the Certification Authority program in the tools section in Server Manager from the Windows Server 2012 server
  • Expand the server name and right click on Certificate Template and choose Manage

image

  • Select the Web Server Template and choose Duplicate Template
  • Leave all the fields defaults except the following:
    • In General change the Template display name, Template name and Validity period and Renewal period fields to your needs
    • In Request Handling  mark Allow private key to be exported
    • In the Security add the computer account of the View Connection Servers with the Read, Write and Enroll permissions checked
image image
image  
  • Close the Certificate Templates Console
  • In the Certificate Authority choose NewCertificate Template to issue  and select the Certificate Template just created
image image

 

Steps on the VMware Horizon View Connection Server(s)

  • Start – Run – MMC
  • File – Add Snap-ins – Certificates – Computer Account – Local  computer
  • Personal – Certificates – All Tasks – Select Request New Certificate

image

  • Next
  • Choose Active Directory Enrollment Policy
  • Next
  • Check the VMware View template and select Properties 

image

  • In subject – Subject name Type select Common Name. Enter the FQDN name of the VMware View Horizon Connection server

image

  • In General enter as Friendly name vdm in the field

image

– Check in the Private Key – Key Options field if Make private key exportable option is checked

image

  • OK and press Enroll

image

  • Rename the Friendly name of the old self signed certificate to another name as VDM

image

  • Restart the VMware View Connection Server service.

image

  • Wait some time so that the VMware View Connection Server can load
  • Login the View Administrator portal and within a couple of minutes the dashboard System Health of the Connection Servers should get a green color. The VMware View Connection Servers has now a signed certificate
image image