Replacing the Self-Signed Certificate in VMware App Volumes 2.12

This post was originally published on this site

By Josh Spencer, End-User-Computing Architect, Technical Marketing, VMware

With significant contributions from

Graeme Gordon, Senior End-User-Computing Architect, Technical Marketing, VMware

and

Pim van de Vis, Product Engineer, User Environment Manager, R&D, VMware

Introduction

It is becoming increasingly common for IT to implement SSL certificates for secure communications among application components. Using certificates provides a number of benefits, including privacy and secure authentication, for a relatively small investment.

Self-signed certificates allow applications to be deployed quickly, but are intended for lab, proof-of-concept, or nonproduction implementations. For production implementations, you should use certificates signed by a Certificate Authority (CA), whether private (such as an on-premises Microsoft CA), or from a trusted public CA.

The latest release of VMware App Volumes includes several new features and enhancements. This blog post focuses on a new capability that encrypts and secures communication between App Volumes Manager and App Volumes Agent.

When you install the App Volumes Manager (referred to as Manager here), a self-signed certificate is applied. When you launch the Web-based Manager console, a security warning appears indicating that the SSL certificate is not from a trusted source.

 

Example certificate warning.

 

app-volumes-2-12-certificate-replacing-self-signed_01

This blog post walks you through the process of replacing the Manager self-signed certificate with a Microsoft CA-signed certificate. After you read through this blog post, if you would like to see the process, watch the video Replacing the App Volumes 2.12 Default Self-Signed SSL Certificate:

app-volumes-2-12-certificate-replacing-self-signed_40

Note: A variety of certificate authorities, attributes, and options for generating certificates exist. This blog post gives only one example. VMware recommends following your organization’s standards for certificates.

Overview of the Certificate Replacement Process

Steps 1 and 2 in the following list generate a certificate using a Microsoft CA. If your organization uses a different Certificate Authority for this process, Steps 1 and 2 may differ in how you obtain your certificate. Steps 3 through 6 are still applicable but may vary slightly depending on the type of certificate your CA provides.

  1. Generate a Certificate Signing Request (CSR) for the App Volumes Manager server.
  2. Submit the CSR to a Certificate Authority for certificate generation. A Microsoft CA is used for the purposes of this blog post, though the process is similar when submitting a CSR to other CAs.
  3. Import the SSL certificate to the App Volumes Manager server.
  4. Export the certificate and private key to a PFX file.
  5. Extract the certificate and private key from the PFX file, and convert the private key to PEM format.
  6. Configure NGINX to use the certificate and PEM-formatted key file.

Step 1: Generate a Certificate Signing Request

A CSR defines parameters for the certificate you are requesting, and can be submitted to a variety of CAs for certificate generation. Read VMware knowledge base article Generating a Horizon View SSL certificate request using the Microsoft Management Console (MMC) Certificates snap-in (2068666), which shows the steps in the process.

Note: The App Volumes Manager server inherently trusts the Root Domain CA in this environment. The Root Domain CA directly issues the certificate in this example. In some cases, you may need to import intermediate certificates in the certificate chain. Microsoft has a good primer on the Hierarchy of Trust about this topic.

 

From the Manager server, open Microsoft MMC.

From the File menu, select Add/Remove Snap-in.

 

 

app-volumes-2-12-certificate-replacing-self-signed_02

 

 

Select the Certificates snap-in, and click Add.

 

 

app-volumes-2-12-certificate-replacing-self-signed_03

 

 

Select Computer account and click Next.

 

 

app-volumes-2-12-certificate-replacing-self-signed_04

 

 

Select Local computer and click Finish.

 

 

app-volumes-2-12-certificate-replacing-self-signed_05

 

 

From the Manager server, browse to and select Certificates.

From the Certificates folder, right-click Personal.

Select All Tasks > Advanced Operations > Create Custom Request.

 

app-volumes-2-12-certificate-replacing-self-signed_06

 

 

Select Proceed without enrollment policy.

 

 

app-volumes-2-12-certificate-replacing-self-signed_07

 

 

For Template, click the down-arrow, and select (No template) Legacy key.

For Request format, select PKCS #10.

 

 

app-volumes-2-12-certificate-replacing-self-signed_08

 

 

Expand Details, then click Properties.

 

 

app-volumes-2-12-certificate-replacing-self-signed_09

 

 

Enter a Friendly name, then click the Subject tab.

 

app-volumes-2-12-certificate-replacing-self-signed_10

 

In the Subject tab, under Subject name, is the field Type. Under Type is Full DN. Click Full DN.

 

 

app-volumes-2-12-certificate-replacing-self-signed_11

 

 

Enter the values in the following fields under Subject name, clicking Add after each value entry:

  • CN – This must be the FQDN of your Manager server.
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State
 

app-volumes-2-12-certificate-replacing-self-signed_12

 

 

Next, click the Private Key tab.

Click Key options and complete the following fields:

Key size: 2048

Select Make private key exportable and click OK.

 

 

app-volumes-2-12-certificate-replacing-self-signed_13

 

 

From the Certificate Enrollment window, click Next.

For File Name, browse to the location where you will save the request file, and enter a file name. Click Save.

For File format, select Base 64, and click Finish.

 

 

app-volumes-2-12-certificate-replacing-self-signed_14

Step 2: Submit Certificate Request to a Microsoft CA

 

 

From the Manager server, open a Web browser and navigate to http://<CA>/CertSrv.

Click Request a certificate.

 

app-volumes-2-12-certificate-replacing-self-signed_15

 

 

Click advanced certificate request.

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_16

 

 

Click Submit a certificate request by using a base-64-encoded….

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_17

 

 

Leave open the Submit a Certificate Request or Renewal Request window.

Use Notepad to open the CSR you saved in Step 1.

 

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_18

 

 

Copy all of the text, including the header and footer.

Be careful not to copy any extra spaces or leave out any characters during this process.

 

app-volumes-2-12-certificate-replacing-self-signed_19

 

 

Paste this data into the Saved Request field on the Submit a Certificate Request or Renewal Request window.

Change the Certificate Template to Web Server.

Click Submit.

 

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_20

 

 

Select to download the certificate in Base 64 encoded format.

The P7B file will not be used in this exercise and is optional. You need only the CER file to continue because domain computers inherently trust the Root Domain CA.

 

app-volumes-2-12-certificate-replacing-self-signed_21

Step 3: Import New Certificate to Manager Server

 

 

From the Manager server, open Microsoft MMC.

Browse to Certificates.

Right-click Personal, and select All Tasks > Import.

 

 

 

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_22

 

 

The Welcome to the Certificate Import Wizard appears. Select Local Machine and click Next.

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_23

 

 

Browse to the CER file you downloaded in Step 2 and click Open.

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_24

 

 

Follow the prompts to import the certificate. Click Finish. The import was successful message appears.

 

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_25

Step 4: Export the Certificate and Private Key

 

 

Navigate to Personal > Certificates.

In the right pane, right-click the imported certificate and select All Tasks > Export.

 

app-volumes-2-12-certificate-replacing-self-signed_26

 

 

Follow the prompts to export the private key.

 

app-volumes-2-12-certificate-replacing-self-signed_27

 

 

Select Include all certificates….

Also, select Export all extended properties.

 

app-volumes-2-12-certificate-replacing-self-signed_28

 

 

 

Create a password to secure the exported private key.

Note: You will need this password in Step 5, when prompted for the “Import Password.”

 

app-volumes-2-12-certificate-replacing-self-signed_29

 

 

Export the key.

 

app-volumes-2-12-certificate-replacing-self-signed_30

Step 5: Extract the Certificate and Private Key from the PFX

While some CAs provide separate CRT and KEY files, the Microsoft CA produces a PFX file. In this example, a third-party tool called OpenSSL is used to extract the necessary files.

 

Launch OpenSSL with admin rights.

Run the command:

pkcs12 –in <file>.pfx –nocerts –out <keyfile>.key

Enter the Import Password. You created the Import Password in Step 4 when you exported the private key.

Next, create a PEM pass phrase and re-enter it to verify it. You will not see this pass phrase echoed in the window.

Note: The PEM pass phrase is a password created during this process. Be sure to make note of this, as it will be needed later.

 

app-volumes-2-12-certificate-replacing-self-signed_31

 

 

This command converts the private key (created in Step 4) to PEM format as required by App Volumes.

Run the command:

rsa –in <keyfile.key> -outform PEM –out <keyfile>PEM.key

When prompted, enter the (PEM) pass phrase that you just made note of.

 

app-volumes-2-12-certificate-replacing-self-signed_32

 

 

Now, you will extract the certificate.

Run the command:

pkcs12 –in <file>.pfx –clcerts –nokeys –out <certificate>.crt

Enter the Import Password.

 

app-volumes-2-12-certificate-replacing-self-signed_33

 

 

The following files should now be available.

 

app-volumes-2-12-certificate-replacing-self-signed_34

Step 6: Edit the App Volumes Manager nginx.conf File

Now that you have the necessary CRT and KEY files, you must configure App Volumes to use them rather than the self-signed certificate files used by default.

 

From the Manager server, under Services (Local), right-click App Volumes Manager, and select Stop.

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_35

 

 

Make a backup copy of the nginx.conf file.

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_36

 

 

Open the nginx.conf file with Notepad.

Locate the two lines referencing the self-signed certificate and private key.

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_37

 

 

Modify the lines to reflect the new CRT and KEY files you extracted from the PFX file.

Be sure to include the entire path for each file.

Important: Be sure to include the trailing semi-colon.

Click Save.

 

 

app-volumes-2-12-certificate-replacing-self-signed_38

 

 

Start the App Volumes Manager service.

 

 

 

app-volumes-2-12-certificate-replacing-self-signed_39

Conclusion

The App Volumes Manager console should now open without the certificate warning.

Important: The App Volumes Manager shortcut, which is automatically placed on the desktop of the Manager server, opens your default browser to https://localhost/. Because “localhost” was not used for the CN attribute when you created the new certificate, this shortcut still displays a certificate warning. This is expected.

Likewise, if you browse to https://<Manager_IPaddress>/, you also get a certificate warning.

Instead, use https://<Manager_FQDN>/ for the App Volumes Manager. When you created the new certificate, the CN attribute contained the FQDN of the Manager server. Using this URL ensures that you will not get a certificate warning.

App Volumes 2.12 does not support using the IP Address attribute in the certificate Subject Alternative Name. Be sure to use the FQDN of the Manager server as the CN, and be sure to use the FQDN when installing the App Volumes Agent software.

Additional Information

For more detailed information about this process, watch the video Replacing the App Volumes 2.12 Default Self-Signed SSL Certificate.

For further information about the new SSL-certificate capability, see the App Volumes User Guide.

The post Replacing the Self-Signed Certificate in VMware App Volumes 2.12 appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *