VMware Horizon View 6 Certificate Issue

Thank you all in advance. I am in the middle of standing up a VDI environment for 100 users. I have the one 2012R2 server VM configured and Installed for the Connection server. I have a second 2012R2 VM with SQL express for the log database. I am in the process of building my first gold image.

The issue is that the self signed cert on the connection server is being flagged.

My questions are
1. Does it matter that is is a self signed cert. I do not have a CA set up in the environment.
2. Is there any performance issue to using a self signed cert or do I need to get one from a Commerical CA?

I'v read many posts including the post by Derek Seaman

I'm really confused on the whole Certificate config,

please help!

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Some of the common area miss out include:

- To configure a View Connection Server instance or security server to recognize and use an SSL certificate, you must modify the certificate Friendly name to vdm.
- To import the root certificate and intermediate certificates into the Windows local computer certificate store. After all certificates in the chain are imported, you must restart the View Connection Server service or Security Server service to make your changes take effect.

- In the case of untrusted SSL, to import into Windows Server host on which View Connection Server is installed the signed SSL server certificate. The root certificate into the Windows local computer certificate store. For if the View Connection Server host does not trust the root certificates of the SSL server certificates configured for security server, View Composer, and vCenter Server hosts, you also must import those root certificates.

- Also must accept a certificate thumbprint when you upgrade from an earlier View release to View 5.1 or later, and a vCenter Server or View Composer certificate is untrusted, or if you replace a trusted certificate with an untrusted certificate.

Do catch also the tutorial for obtaining SSL cert. Its is useful guide - "Obtaining SSL Certificates for VMware View Servers"
>Collapse all contentsObtaining SSL Certificates from a Certificate Authority
>Determining If This Document Applies to You
>Selecting the Correct Certificate Type
>Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq
>Convert a Certificate File to PKCS#12 Format


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gpradminAuthor Commented:
I'm not sure I understand what you are saying. Isn't there a simple way to add a self signed cert to the connection server?
btanExec ConsultantCommented:
I understand by default, when you install View Connection Server or security server, the installation generates a self-signed certificate for the View server. It has the as the Friendly Name of “vdm” and this is what View uses as an identifier. Of course, you can also have other certificate issued by our Windows CA (or other CA). Eventually the one with "vdm" is the one used. Importantly, the Common name needs to be the same as the FQDN. Typically once you have verified and applied the SSL certificate to a View connection server, you will follow the same process for other connection servers, security server and the composer server.

In the case of gold image, as each connection instance has unique host, it seems you need a wildcard SSL cert instead
Wildcard Certificate
A wildcard certificate is generated so that it can be used for multiple services. For example: *.company.com.
A wildcard is useful if many servers need a certificate. If other applications in your environment in addition to View need SSL certificates, you can use a wildcard certificate for those servers, too.
You can use a wildcard certificate only on a single level of domain. For example, a wildcard certificate with the subject name *.company.com can be used for the subdomain dept.company.com but not dept.it.company.com.

This blog @ http://www.virtualizetips.com/2014/07/01/vmware-horizon-6-install-part-3-ssl-certificates/ is using exactly your links shared and following on to update the connection server
SolarWinds® Network Configuration Manager (NCM)

SolarWinds® Network Configuration Manager brings structure and peace of mind to configuration management. Bulk config deployment, automatic backups, change detection, vulnerability assessments, and config change templates reduce the time needed for repetitive tasks.

gpradminAuthor Commented:
I looked at this the issue is that when you have to select your template, I do not have any templates available to select. - step 5 or 6 i think
btanExec ConsultantCommented:
it then looks like as author advised
...On this step, you will pick the certificate template that we wish to use. Again you could probably get by with the Web Server one that is built into the Windows CA, but using the VMware-SSL one created earlier off the post linked is the one I’ll be using.
in reference to his first link to create the template to check before going into his steps...I did not delve further though but it is the same link as in your posted qns..probably has to step back and retrace over again the steps to verify
gpradminAuthor Commented:
right but I dont get the option to use even the web server built in one
btanExec ConsultantCommented:
need to build a certificate template then, need to fulfill the pre-req before you can get to see the template e.g.

- When a Windows Server 2008–based CA is installed, a set of default certificate templates is assigned to the CA so that the CA is immediately able to issue certificates for those templates. This is inclusive of Web server template. Noet that these templates are installed in AD DS when an enterprise CA is installed.

- We will need certificates based on version 2 or version 3 templates as they can be modify compared to version 1. The newer version can only be issued by an enterprise CA and require an Active Directory environment based on Windows Server 2003 or higher. Note that CAs installed on computers running Windows Server 2008 Standard and Windows Server 2003 Standard Edition support only version 1 templates.

- As stated in the article you shared, it also stated may have problems with “standard” edition CAs prior to Windows Server 2012, as they lack some certificate features found in Enterprise or higher editions. Minimally Windows Server 2012 standard edition has the full compliment of certificate options hence no need for Enterprise edition)

- Thereafter we can start to perform any of the tasks associated with creating a certificate template, and do note you must be logged on as a member of the Enterprise Admins group, a member of the forest root domain's Domain Admins group, or as a user who has been granted permission to perform the task.

The steps is shared in https://technet.microsoft.com/en-us/library/cc770794(v=ws.10).aspx for the duplicate template. unless we cross the template issue otherwise the rest of the prev shared article cannot be performed (yet)
gpradminAuthor Commented:
I;m logged in as the administrator. I thought the administrator account had all these privileges by default
btanExec ConsultantCommented:
Enterprise domain or Domain admin as it is Enterprise CA and not local admin. This is likely due to certificate templates are published to the Configuration naming context, which is stored on every domain controller in the forest in the path: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
gpradminAuthor Commented:
have been running without cert for now. will revist cert issue in a few weeks. I'll keep you posted
btanExec ConsultantCommented:
Noted thanks
gpradminAuthor Commented:
Sorry for the delay in getting back to this. I will reveiw and follow up in about a week.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.