KUDOSVENUE

The following three posts describe the process of configuring certificates for VMware View 5.1.

1. Generate and Import Certificates
2. Configure DNS
3. Update External URL
4. Configure View Security Server Certificates

This method of certificate generation and importation uses Microsoft Certreq available in Windows Server 2008 R2 to quickly generate a Certificate Signing Request (CSR).

The tool uses a configuration file to generate a certificate request.
To create the configuration file:

1. Open a text editor (such as Notepad), and create a new document.
2. Copy and paste this text into the file and save it as request.inf. Please ensure to copy the contents exactly.
   ;—————– request.inf —————– [Version]
   Signature=”$Windows NT$”
   [NewRequest]
   Subject = “CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name” ; replace attribues in this line using example below KeySpec = 1 KeyLength = 2048 ; Can be 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = “Microsoft RSA SChannel Cryptographic Provider” ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0
   [EnhancedKeyUsageExtension]
   OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
   [RequestAttributes]
   ; SAN=”dns=FQDN_you_require&dns=other_FQDN_you_require“ ;———————————————–
3. Update the Subject attributes with appropriate values. For example:
   Subject = “CN=view.company.com, OU=Helpdesk, O=IT, L=Palo Alto, S=California, C=US” Note: Some Certificate Authorities (CAs) do not allow the use of abbreviations for the Stateattribute.
4. Update the KeyLengthattribute if necessary. The default of 2048 is adequate unless there is a specific need for a different length.
5. If you are using a SAN, uncomment the line and update the SAN attribute with the FQDN, for example, server.domain.com
6. Save the file as request.inf.

Generate a CSR using the configuration file:

1. Open a command prompt by right-clicking on cmd.exe and selecting Run as administrator.
2. Change directory to the location where the request.inf file was saved. For example:
   cd C:\certificates
3. To generate the CSR file, run the command:
   certreq -new request.inf certreq.txt
4. Open the resulting certreq.txt CSR file in a text editor and supply the text to your CA to obtain a signed certificate.
   The CA will provide a signed certificate, as well as a root CA certificate and an intermediate CA certificate, if applicable.
5. Save the certificate text to a new file named cert.ceron the Connection Server where the certificate request was generated.
6. Save the root and intermediate CA certificates to files named root.cer and intermediate.cer on the Connection Server where the certificate request was generated.

Import the signed certificate:

1. Open a command prompt by right-clicking on cmd.exe and selecting Run as administrator.
2. Change directory to the location where the signed certificate file cert.cer was saved. For example:
   cd C:\certificates
3. To import the signed certificate, run this command:
   certreq -accept cert.cer
   Once complete, the certificate is imported into the local machine’s certificate store.
4. To ensure that the new signed certificate is trusted, follow the steps in these sections of the VMware View Installation documentation:
   • Add the Certificate Snap-In to MMC
   • Modify the Certificate Friendly Name
   • Import a Root Certificate and Intermediate Certificates into a Windows Certificate Store

Note: The Connection Server service must be restarted for the new certificate to be loaded. For more information, see Stopping, starting, or restarting VMware View services (1026026).

Configuring Certificates on the VMware Composer Server

1. You do not need to change the Friendly Name filed on certificates on the Composer Server, this was only required for Connection Server and Security Server.
2. On the vCenter/View Composer server launch Start –> Run –> CMD
3. Browse to “C:\Program Files (x86)\VMware\VMware View Composer”
4. Enter > sviconfig –operation=ReplaceCertificate –delete=false
5. You will be prompted to select the certificate, select the new certificate.
6. You will see a message:

Unbind certificates from the port …. Successfully
Bind the new certificate to the port
ReplaceCertificate operation completed successfully

The orginal source of this content was found in VMware’s knowledge base under KB 2032400