VMware View Security Servers require an SSL certificate to be installed for mobile VMware View clients to function properly. It’s also a good practice.
Chapter 7 of the VMware View 4.6 Installation manual attempts to document the procedure of how to export a certificate from a Windows 2008 IIS server and import it into a Windows 2008 VMware View Security Server, which happens to rely on Apache Tomcat.
The instructions and examples of the VMware View Installation manual are incomplete and its examples are sometimes misleading. After spending days of experimentation, all while working with VMware Support, I finally figured out how to properly perform this procedure.
In my example, I’m using a wildcard certificate from GoDaddy (*.example.com) that has been pre-installed on a Windows 2008 R2 IIS server in our domain. My objective was to export this wildcard certificate from our IIS server and use it for our VMware View Security Server at desktops.example.com.
Add keytool to the System Path
By adding the “keytool” folder to the system environment Path variable, we will be able to run this utility from any directory on the host.
- On your View Security Server host, right-click My Computer and select Properties
- On the Advanced tab, click Environment Variables
- In the System variables group, select Path and click Edit
- Type the path to the JRE directory in the Variable Value text box. Use a semicolon (;) to separate each entry from other entries in the text box. Example: “;c:\Program Files\VMware\VMware View\Server\jre\bin”
- Click OK until the Windows System Properties dialog box closes
Export existing certificate from IIS
We already own a GoDaddy wildcard SSL certificate (*.example.com) that is installed on a Windows 2008 server running IIS. We want to export this certificate from IIS and install it on the VMware View Security Server.
IIS exports certificates in the .pfx format, which is a PKCS#12 file format. The PKCS#12 format includes both the server certificate and the private key, but not the intermediate certificates.
- On your IIS server, click Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager to open the Internet Information Services (IIS) Manager
- To view the list of sites hosted by the server, expand the local computer entry and click Web Sites
- Right-click the Web site entry that contains the certificate you want to export and select Properties (e.g. *.example.com)
- On the Directory Security tab, click Server Certificate
- When the Web Server Certificate wizard appears, click Next
- Select “Export the current certificate to a .pfx file” and click Next
- Specify a filename for the certificate file and click Next (e.g. desktops.example.com.pfx)
- Type and confirm a password to be used to encrypt the .pfx file (e.g. [email protected]) and click Next. The system displays summary information about the certificate you are about export.
- Verify the summary information and click Next > Finish.
- Copy this desktops.example.com.pfx certificate from your IIS server to your VMware View Security Server, placing it in this folder: “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”
Import an Intermediate Certificate into a Keystore File
GoDaddy wildcard certificates are signed by an intermediate GoDaddy CA rather than by a GoDaddy root CA. Before doing anything with our “desktops.example.com.pfx” certficate, we must first add the intermediate certificate to a keystore file. This process will also create our Tomcat keystore file for us.
Visit https://certs.godaddy.com/anonymous/repository.seam to find a list of GoDaddy intermediate certificates. In our case we want “Go Daddy Certificate Bundles (for cPanel, Plesk, Apache 1.x and 2.x installation only)”, which is the file “gd_bundle.crt.”
- Download “gd_bundle.crt” from https://certs.godaddy.com/anonymous/repository.seam
- Save “gd_bundle.crt” to “c:\Program Files\VMware\VMware View\Server\sslgateway\conf”
- Import “gd_bundle.crt” into the keystore file, and create the keystore “keystore.jks” while you are at it by using this command
- CMD > keytool -importcert -keystore keystore.jks -trustcacerts -alias intermediateCA -file gd_bundle.crt
- When prompted to create a password for your keystore.jks, do so (e.g. [email protected])
Import your Wildcard Server Certificate into the Keystore File
Once you have the intermediate GoDaddy certificate in place, it’s time to import the “desktop.example.com.pfx” server certificate you exported from your ISS server. Your .pfx export contains both the server certificate and the private key.
- Add the IIS server certificate and private key from the PKCS#12 file to the JKS keystore you just created by using this command
- CMD > keytool -importkeystore -destkeystore keystore.jks -deststorepass [email protected] -srckeystore desktops.example.com.pfx -srcstoretype PKCS12 -srcstorepass [email protected]
Configure the View Security Server to Use the Wildcard Microsoft IIS SSL server certificate
To configure a View Security Server to use the SSL certificate, we must create a “locked.properties” file on the View Security Server and provide it some values.
If you have been following along, your “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” folder on your VMware View Security Server should have these newly added files:
- desktops.example.com.pfx (the wildcard SSL certificate you exported from your ISS server)
- gd_bundle.crt (the GoDaddy intermediate certificate you downloaded from https://certs.godaddy.com/anonymous/repository.seam)
- keystore.jks (the Apache Tomcat keystore you created by importing both intermediate and server certificates)
- Create a “locked.properties” file by right clicking in “c:\Program Files\VMware\VMware View\Server\sslgateway\conf” > New > Text Document
- Rename your .txt file to “locked.properties”, making sure to remove the .txt extension
- Open “locked.properties” in a text editor and give it the following properties
keyfile=keystore.jks [email protected] storetype=jks
- Save and close “locked.properties”
- Restart the View Security Server service to make your changes take effect
Test to see if everything is installed correctly
GoDaddy offers a “SSL Installation Tool” that will remotely check to see if a publicly facing web server has its certificates properly installed.
- Visit https://certs.godaddy.com/ccp/tools/sslinstallvalidator.seam
- Log in with your GoDaddy credentials
- Tools > SSL Installation Tool
- Enter your URL and click Validate Install
- If all went well, you’ll see “Results:No issues found.”