how to use a trusted Cert Key is explained on page 58 of the VDM2.1 admin manual

information inserted here incase you can't RTFM

Installing SSL Certificates

The VDM Connection Server includes a self‐signed SSL certificate that you can use the first time you connect. This certificate is not trusted by clients and does not have the correct name for the service, but it does allow connectivity. Replace these initial certificates with properly constructed certificates for the service. This removes the certificate check messages that users see and allows thin client devicesto connect.

To install certificates, follow these high‐level steps:

1 Create a suitable Certificate Signing Request (CSR).

2 Submit the request to your Certificate Authority (CA) and receive the new certificate.

3 Import the certificate into the keystore for the VDM Connection Server.

4 Configure the VDM Connection Server to use this new certificate.

Creating the CSR

Deciding what name to bind to a CSR is an important consideration. A certificate binds the name of the service to a cryptographic key pair and, in doing so, assumes ownership of the service and keys. The client can trust the server (and its cryptographic key) because the CA independently determined that the organization that is claiming ownership requested the key.

The most important part of the CSR is the common name (CN) attribute. Use the name that the client computer uses to connect to the VDM Connection Server. In a single‐server environment, the name is typically the name of the server. If load balancing is being used, use the load‐balanced name.

To create the CSR

1 Using the Windows command prompt, create a new keystore containing a public‐private key pair:

%JAVA_HOME%\bin\keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -storepass <secret> -validity 360

2 Answer the following questions:

What is your first and last name?
This is the CN attribute. Enter the server name or load‐balanced name, for example, server.vmware.com.
What is the name of your organizational unit?
This is information about where in your organization this server is being deployed. Your CA might have requirements for completing this field. For example, it might require the company’s domain name (for instance, vmware.com).
What is the name of your organization?
This might be your department or company name.
What is the name of your City or Locality?
Enter your location or leave blank (Unknown).
What is the name of your State or Province?
Enter your state information or leave blank (Unknown).
What is the two‐letter country code for this unit?
Enter your country code (GB, for example).

3 Confirm the full name, enter Yes, and press Enter. The keys.p12 file is created in the current directory.

4 Use the following key pair to create a CSR:

%JAVA_HOME%\bin\keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 -storepass secret

The certificate.csr file is created in the same location. The contents of the file look like the following example:

-

---

BEGIN NEW CERTIFICATE REQUEST---
MIIBuDCCASECAQAweDELMAkGA1UEBhMCR0IxEDAOBgNV
BAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xFDAS
BgNVBAoTC1ZNd2FyZSBJbmMuMRMwEQYDVQQLEwp2bXdh
cmUuY29tMRowGAYDVQQDExFzZXJ2ZXIudm13YXJlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA85iM
2G4J695Nh3LfU0S7eAdXHG51MtRcfR397jj0sjFk2THO
T8Xkeue6pCAg0E9vsRSKiFZiMQLOTSkg0VwdbYDMzMx
Uam/baSq7z7JF8irTHXYB/1PXDWdykUI7jYSRVxhjbHm
XU8/2jEUL5DocLDLnygsUD2g7cUMYdz/HeECAwEAAaAA
MA0GCSqGSIb3DQEBBQUAA4GBALq2e5FWHQIE26J0lIdR
FLQqlsu78IsuGF19nvJSxrdnHFUpUvTaTA3auGszUJG
/vdHqFt49oSIrIhd7NALLumBoOq4tEywvE3vq0ytUvIE
imJCKsAiAeyWZUydJps+zhVKKhiscgFh60AZp1bmTJgu
AeHnsPs7a1Q0JH6OZvdU
-

---

END NEW CERTIFICATE REQUEST---

5 (Optional) Back up the keys.p12 file after the certificate is imported into it in case you need to rebuild the configuration for the server at some point.

To submit the CSR and import the certificate

1 Contact your CA and provide the relevant information and a copy of the CSR generated in "To create the CSR" on above.

2 Request a certificate in PKCS#7 format.

For testing purposes, Thawte provides a free CA at that generates a 21‐day SSL certificate based on an untrusted root. This is slightly better than the get‐you‐started certificate supplied with VDM because it now uses the correct name. However, clients still issue warnings that the service is not trusted.

3 Copy the contents of the generated file into a text editor and save it as certificate.p7.

The file looks like the following example:

-

---

BEGIN PKCS7---
MIIFAYJKoZIhvcNAQcCoIIF6TCCBeUCAQExADALBgkqhkiG9w0BBwGgggXNMIID
LDCCApWgAwIBAgIQTpY7DsV1n1HeMGgMjMR2PzANBgkqhkiG9w0BAQUFADCBhzEL
...
i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAPnnStyhVHFIpKy3nsDO4JqrIg
EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtbi/WtdqxQEEtgZCJO2lPoIWMQA=
-

---

END PKCS7---

4 Import the certificate into the keystore using the following command (change the password and replace secret with another password):

%JAVA_HOME%\bin\keytool -import -keystore keys.p12 -storetype pkcs12 -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

This operation might generate the following message:

... is not trusted. Install reply anyway?

This message is generated because the root certificate given to you is not trusted by Java because it is a test certificate and not for production use. Installing this certificate is allowed but might not provide a better user experience than the get‐you‐started certificate.

To configure the VDM Connection Server to use the new certificate

1 Place a new certificate file in the following location on each VDM Connection Server (standard, replica, or security server):

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf

2 Create or edit the following file on each server:

C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\locked.properties

3 Add the following properties:

keyfile=keys.p12
keypass=secret
This changes the values as needed to match what you created in the previous step.

4 Restart the VDM service.

Assuming your environment is configured to use SSL, a log message like the following appears:
13:57:40,676 INFO <Thread-1> (NetHandler) Using SSL certificate store: keys.p12 with password of 6 characters
This message indicates that the configuration is in use.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Hello i am having a problem importing my external cert into the VDM server. I have tried and when performing the following step i get an error, any ideas? Im using a godaddy cert, see post for more details.

keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg "RSA" -trustcacerts -file certificate.p7

i get the following error response:

keytool error: java.security.cert.CertificateException: java.io.IOException: Der

InputStream.getLength(): lengthTag=126, too big.