SSL Certs for View Access to TCC Labs

I have been working on a project for the next generation of lab environments for the VMware IT Academy Program and the Cyber Security Program offered at Tidewater Community College. We now have quite a few classes using this new lab environment we stood up over the summer: the VMware ICM class I teach on Thursday evenings, four Cyber Security classes, and two Linux classes. There are around 120 students using the environment and this will probably quickly expand over the next few semesters.

The primary purpose of the environment is to allow students to access secure and isolated lab environments containing all the resources necessary to complete lab work required for each of the classes. In the past students were required to build out there own labs on standalone machines located on campus. With this project we are also able to allow students to access their lab environments remotely. Each student lab environment is isolated and access is provided through a virtual desktop. Currently we are using VMware Horizon View 6.2 to provide this access.

We are a bit over 3 weeks into the 2016 Fall semester and so far things have been working great. As with anything new there have been a few challenges but most of the issues we have encountered have been easy to correct.

We have been using the default self-signed certificates. One of the things on my project list is to update the self-signed SSL certificates to CA signed SSL certificates. This post covers the process I followed and includes some of the resources I found helpful for replacing the default self-signed certificates with certificates signed by a CA.

Here the overview of the process I followed for replacing the self-signed certificates on View Connection and View Security servers:

1. Create a certificate signing requests (CSR). The VMware KB 2032400 Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View walks through this process step-by-step.
2. Use the CSR to obtain a signed certificate. I used SSL2Buy at https://store.ssl2buy.com/ mainly due to the fact they were very inexpensive, $45 per year for a Subject Alternative Name (SAN) SSL Certificate with up to 4 FQDNs. This allowed me to use a single signed certificate for the remote access FQDN, the security server FQDN, and the connection server FQDN.
3. Import the CA certificate chain, Root and Intermediate Certificates, into the connection servers and security servers certificate store.
4. Add the new signed certificate to the connection server. The process for this is also detailed in the VMware KB 2032400
5. Edit the properties of the old self-signed certificate on the Connection Server to change the name to something other than vdm (vdm_old for example). Make sure the friendly name of the new signed certificate is set to vdm.
6. Restart VMware View Connection Server services and the VMware View Blast Secure Gateway service on the Connection Server so it will use the new certificate.
7. Export the certificate and the private key. This will create a .pfx file which you can then import into the other View servers.
8. Import the certificate and private key (.pfx file) into the security server.
9. Edit the properties of the old self-signed certificate on the Security Server to change the name to something other than vdm (vdm_old for example). Make sure the friendly name of the new signed certificate is set to vdm.
10. Restart VMware View Security Server services and the VMware View Blast Secure Gateway service on the Security Server so it will use the new certificate.

Everything is good to go now, with CA signed certificates. No more errors in the View Administration Dashboard. More importantly students are no longer receiving a certificate error when accessing the environment.

Couple of other resources I googled across which also helped out:

• VMware Horizon 6 Install – Part 3 SSL Certificates at VirtualizeTips
• VMware Horizon View Connection Server SSL Certificate How-to at ESXvirtualization
• Configuring SSL Certificates for View Server from the VMware Horizon 6 Documentation Center

I will be writing up a more detailed post on the TCC lab environment soon.