Posted on Jan 19, 2012

Exporting a GoDaddy wildcard certificate from IIS to VMware View Security Server

VMware View Security Servers require an SSL certificate to be installed for mobile VMware View clients to function properly. It’s also a good practice.

Chapter 7 of the VMware View 4.6 Installation manual attempts to document the procedure of how to export a certificate from a Windows 2008 IIS server and import it into a Windows 2008 VMware View Security Server, which happens to rely on Apache Tomcat.

The instructions and examples of the VMware View Installation manual are incomplete and its examples are sometimes misleading. After spending days of experimentation, all while working with VMware Support, I finally figured out how to properly perform this procedure.

In my example, I’m using a wildcard certificate from GoDaddy (*.example.com) that has been pre-installed on a Windows 2008 R2 IIS server in our domain. My objective was to export this wildcard certificate from our IIS server and use it for our VMware View Security Server at desktops.example.com.

Add keytool to the System Path

By adding the “keytool” folder to the system environment Path variable, we will be able to run this utility from any directory on the host.

Procedure

  • On your View Security Server host, right-click My Computer and select Properties
  • On the Advanced tab, click Environment Variables
  • In the System variables group, select Path and click Edit
  • Type the path to the JRE directory in the Variable Value text box. Use a semicolon (;) to separate each entry from other entries in the text box. Example: “;c:\Program Files\VMware\VMware View\Server\jre\bin”
  • Click OK until the Windows System Properties dialog box closes

Export existing certificate from IIS

We already own a GoDaddy wildcard SSL certificate (*.example.com) that is installed on a Windows 2008 server running IIS. We want to export this certificate from IIS and install it on the VMware View Security Server.

IIS exports certificates in the .pfx format, which is a PKCS#12 file format. The PKCS#12 format includes both the server certificate and the private key, but not the intermediate certificates.

Procedure

  • On your IIS server, click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager to open the Internet Information Services (IIS) Manager
  • To view the list of sites hosted by the server, expand the local computer entry and click Web Sites
  • Right-click the Web site entry that contains the certificate you want to export and select Properties (e.g. *.example.com)
  • On the Directory Security tab, click Server Certificate
  • When the Web Server Certificate wizard appears, click Next
  • Select “Export the current certificate to a .pfx file” and click Next
  • Specify a filename for the certificate file and click Next (e.g. desktops.example.com.pfx)
  • Type and confirm a password to be used to encrypt the .pfx file (e.g. P@ssw0rd) and click Next. The system displays summary information about the certificate you are about export.
  • Verify the summary information and click Next > Finish.
  • Copy this desktops.example.com.pfx certificate from your IIS server to your VMware View Security Server, placing it in this folder: “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”

Import an Intermediate Certificate into a Keystore File

GoDaddy wildcard certificates are signed by an intermediate GoDaddy CA rather than by a GoDaddy root CA. Before doing anything with our “desktops.example.com.pfx” certficate, we must first add the intermediate certificate to a keystore file. This process will also create our Tomcat keystore file for us.

Prerequisites

Visit https://certs.godaddy.com/anonymous/repository.seam to find a list of GoDaddy intermediate certificates. In our case we want “Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only)”, which is the file “gd_bundle.crt.”

Procedure

  • Download “gd_bundle.crt” from https://certs.godaddy.com/anonymous/repository.seam
  • Save “gd_bundle.crt” to “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”
  • Import “gd_bundle.crt” into the keystore file, and create the keystore “keystore.jks” while you are at it by using this command
  • CMD > keytool -importcert -keystore keystore.jks -trustcacerts -alias intermediateCA -file gd_bundle.crt
  • When prompted to create a password for your keystore.jks, do so (e.g. P@ssw0rd)

Import your Wildcard Server Certificate into the Keystore File

Once you have the intermediate GoDaddy certificate in place, it’s time to import the “desktop.example.com.pfx” server certificate you exported from your ISS server. Your .pfx export contains both the server certificate and the private key.

Procedure

  • Add the IIS server certificate and private key from the PKCS#12 file to the JKS keystore you just created by using this command
  • CMD > keytool -importkeystore -destkeystore keystore.jks -deststorepass P@ssw0rd -srckeystore desktops.example.com.pfx -srcstoretype PKCS12 -srcstorepass P@ssw0rd

Configure the View Security Server to Use the Wildcard Microsoft IIS SSL server certificate

To configure a View Security Server to use the SSL certificate, we must create a “locked.properties” file on the View Security Server and provide it some values.

Prerequisites

If you have been following along, your “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” folder on your VMware View Security Server should have these newly added files:

  • desktops.example.com.pfx (the wildcard SSL certificate you exported from your ISS server)
  • gd_bundle.crt (the GoDaddy intermediate certificate you downloaded from https://certs.godaddy.com/anonymous/repository.seam)
  • keystore.jks (the Apache Tomcat keystore you created by importing both intermediate and server certificates)

Procedure

  • Create a “locked.properties” file by right clicking in “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” > New > Text Document
  • Rename your .txt file to “locked.properties”, making sure to remove the .txt extension
  • Open “locked.properties” in a text editor and give it the following properties 
    keyfile=keystore.jks
keypass=P@ssw0rd
storetype=jks
  • Save and close “locked.properties”
  • Restart the View Security Server service to make your changes take effect

Test to see if everything is installed correctly

GoDaddy offers a “SSL Installation Tool” that will remotely check to see if a publicly facing web server has its certificates properly installed.

Procedure

External Resources

Posted on Nov 13, 2011

GW3 ribbons Sapper Star and No Smoking

I’ve been enjoying some Gears of War 3 this weekend and started focusing on earning ribbons in multiplayer. Two ribbons that were difficult to earn (e.g. hard to figure out) were Sapper Star and No Smoking.

Sapper Star ribbon

Sapper Star

The description reads “Killed an opponent with the opponent’s own planted frag grenade.” I thought I did this several times by simply running near an opponent after he/she planted their frag grenade on me. This never worked.

To earn the Sapper Star ribbon, I had to shoot an opponent’s planted frag grenade and have the detonation kill them. An opponent would have to plan their grenade on a wall or the ground by pressing B and stand near it. The grenade, now acting more like a motion-detector mine, would have to be shot when the enemy who planted it was near.

No Smoking ribbon

No Smoking

The description reads “Killed an opponent with a smoke grenade.” Most of the time, planting a smoke grenade on an opponent (pressing B) only knocks them down. If they are already down, it does nothing (e.g. it doesn’t kill them).

To earn the No Smoking ribbon, I had to know an enemy down twice (knock them down, let them get up, knock them down again, let them get up again) and then plan the smoke grenade on them (after they got up the second time). Maybe they are weaker after being injured twice, I don’t know. But this is how I earned this ribbon.

Posted on Nov 12, 2011

Noblesville Panoramas

Equipped with my new iPhone 4S, last week I visited downtown Noblesville, Indiana, on my lunch break to capture several series of photos that I’d use to create panoramas.

In general, the phone’s camera is pretty good. It’s nice having a compact camera of this quality on me at all times.

For post production, I used Autostich and/or Windows Live Photo Gallery to stitch the images together to produce these panoramas. One comment on my Flickr feed says the building look cartoonish. I agree.

Posted on Aug 27, 2011

Google Contacts, sort by last name

Finally, Google Contacts lets you sort your address book by last name for Google Apps accounts. You’ll find this feature under the More button.

For those of us with large address books, this is such a welcomed feature that users have been requesting for a long time.

While Google’s “Merge Contacts” feature does a decent job of finding and merging duplicate contacts, it’s not perfect. I’ve found that people who use their middle names or a nickname often have duplicate entries in my address book and are not detected by the Merge Contacts feature.

Today, simply by sorting by Last Name, I was able to weed out more than 200 duplicate contacts by sorting by last name and manually marking duplicate contacts. The last name sort made it much easier to find “Smith, Bob” and “Smith, Robert” because they appeared next to each other instead of 100s of records apart.

Thank you Google Contacts for this addition.

Posted on Aug 13, 2011

How to get started in genealogy for free

I am an amateur genealogist. I’m frugal. I’m internet savvy. And in 10 years, I’ve amassed about 20,000 ancestors and descendants in my family tree; conducting most of this research for free.

Researching your family history is done in five basic steps:

  1. Free: Gather informal history from family and online strangers
  2. Free: Input and merge information into a genealogy database using software
  3. Free: Verify informal research via vital resources, citing your source
  4. Free: Share research online and exchange information with distant cousins
  5. Cost: Verify research via DNA and genetic testing

Informal History

Your objective is to research and document the facts of your ancestors and their descendants as accurately as possible. Asking family members and other genealogist to remember names and dates accurately for you is not evidence, but it’s a start. By gathering and organizing information from others, you will have a good foundation from which to start your research.

Living Family (free)

Pedigree Chart The absolute best way to get started is to contact living family members. Ask them fill out both a Pedigree Chart and a Family Group Record. If you think they have a good memory, ask them to fill out some of this information on behalf of their parents and grandparents. The more information the better.

RootsWeb.com (free)

rootsweb.com Purchased by Ancestory.com (a paid service) years ago, the RootsWeb.com database may not look pretty, but it contains a vast amount of family history that has already been organized by others. Best of all, most of this information may be exported and downloaded for free as .GED (GEDCOM) files, which are commonly used by genealogy software. Visit RootsWeb WorldConnect Project, find your ancestors, and download both their Pedigrees and Descendants.

Genealogy Database / Software

Organizing the information you gather is essential. In the case of RootsWeb exports, much of your history might already be found in a database format. I like to work on my database offline, but I’ll also present an online option.

Personal Ancestral File (free)

Personal Ancestral File I am so efficient at entering data into the free Personal Ancestral File application that it is my top choice. It is capable of importing and exporting .ged (GEDCOM) files, which makes it easy to share data with genealogist. It has many great reporting features, which makes it easy to share your research with family members. And it is capable of finding and merging duplicate records, which is helpful if you import family history from different sources.

Geni.com (cost)

I only mention geni.com because it not only lets you build your own tree online, it lets others build your tree for you. By linking your ancestors to a common ancestor on someone else’s tree, you essentially add all of their research to your family tree. They call it World Family Tree. Neat concept, but you have to be a paid member to take full advantage of their services, which is why I’m contempt with PAF.

Vital Resources

Now it’s time to get serious. Everything you have gathered up to this point is hearsay and speculation. You now need to find one or more reputable sources to back up your research. There are many sources genealogist consider to be vital resources, but here are the most useful:

  • United States Census (1790 to 1930, with 1850 to 1930 being the most useful)
  • Birth, Marriage, and Death records
  • Social Security records
  • Tombstones

Thankfully, there are some excellent resources and databases online that reference this information.

FamilySearch.org (free)

FamilySearch.org In my opinion, FamilySearch.org is the best source of vital information online. Best of all, it’s free. In the U.S. along, they have more than 300 collections of vital records, many of which are already cross-lined with relationships such as parents, spouse, and children. In many cases, the site provides an image of the original source; giving you the opportunity to see your ancestor’s name written by the census enumerator. You may search for individuals by name, date, location, and more. I like to also search by just the parents’ last names, while will help you find the birth, marriage, and death records of their children. If I had only one resource online to look up vitial information, I would select FamilySearch.org; it’s that good.

FindAGrave.com (free)

FindAGrave.com This is another site that would benefit from a new design and better search, but it’s still useful. My logic is that if someone is going to carve a name and date in stone, they’ll try to get the information correct. Families also tend to be buried near each other. So if you find one ancestor in a cemetery, you will likely find some more (most likely the spouse). This database is built by users, so might not consider the information a “vital record.” But many of the entries include a photo of the tombstone, which often contains the full name, date of birth, and date of death.

Share research online

Sharing your information online is important for two reasons: 1) it preserves your research so that others may find it and 2) it connects you with other genealogist who are likely researching common ancestors.

There are many places to post your information online. Most of the paid services will also accept your data at no cost because it strengthens their databases. Here’s where I like to upload my research:

Please remember to protect the privacy of living members by hiding their information online, a common feature these websites offer when you upload your .ged (GEDCOM) database.

DNA and genetic testing (cost)

Word of mouth, paper trails, and vital records can only go so far. Thanks to modern science, it is now possible for consumers to use DNA and genetic evidence in their genealogy research. This type of research is not free, since each test ranges from $100 to $500 depending on the complexity and detail. But it can help you validate family lines and find new cousins who share a common ancestor with you.

Y-DNA Testing is the most common means of validating your paternal line (your father, your father’s father, etc.). The Y chromosome is passed down from father to son virtual unchanged. Often, 12 generations might pass before a noticeable mutation in the DNA occurs.

I use Y-DNA testing to verify that descendants do in fact share a common ancestor and that my paper-trail research is accurate. By finding two living males of the same surname, whom I suspect share a common ancestor, I’m able to use DNA to prove that they are in fact related.

FamilyTreeDNA.com (cost)

FamilyTreeDNA.com FamilyTreeDNA.com is the best site for genealogist. It has the largest database of users, which is essential if you want to find others who share common DNA patterns and likely common ancestors. It also has a wide variety of tests to meet both your budget and objectives. When I find someone whom I’d like to have the DNA tested, I often have to offer to sponsor a portion or all of their expenses. But the information received is valuable and lets you strongly confirm with real evidence that your research is accurate and valid.

Get Started

So there you have it. Some nice tips on how to get started in researching your own genealogy using mostly free resources. Before too long, you too will have a large understanding of your family’s history.