VMware Horizon Community
blublurr13
Contributor
Contributor

View 3.0 SSL Setup Help

Hello everyone i have just recently setup my VIEW environment and everything is working, but wanted to get rid of the self signed SSL cert that is loaded by default with our own so that the SSL error does not appear in hte web browser for our users.

I have followed the steps in the View admin guide to the best of my knowledge, but when it comes time to run this command:

keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg "RSA" -trustcacerts -file certificate.p7

i get the following error response:

keytool error: java.security.cert.CertificateException: java.io.IOException: Der

InputStream.getLength(): lengthTag=126, too big.

When i signed up for my SSL cert from godaddy i received 2 files the "vdi.domain.com.crt" and "gd_iis_intermediates.p7b" file which appears to be the PKCS7 format key that it wants to have renamed to certificate.p7. Not sure where to go from here anyone see what im missing?

Thanks

Reply
0 Kudos
12 Replies
blublurr13
Contributor
Contributor

Someone please help me... Smiley Happy

Reply
0 Kudos
TomHowarth
Leadership
Leadership

Have you got this issue sorted yet? I have moved this question to the View Manager forum

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
Reply
0 Kudos
tonstad
Contributor
Contributor

Hi,

Here are the steps I used to enable SSL using an internal CA server.

1) Set path to keytool

2) Generate certificate store:

"keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360"

3) Generate a certificate request:

"keytool -certreq -keyalg "RSA" -file view.csr -keystore keys.p12 -storetype pkcs12 -storepass vmware2008"

4) Using Windows Cert Server , select advanced, and "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."

Download the certificate chain and store the file as a .P7 file

5) Import the certificate:

"keytool -import -keystore keys.p12 -storetype pkcs12 -storepass vmware2008 -keyalg "RSA" -trustcacerts -file view-keys.p7"

6) Copy cert store (view-keys.p12) to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\

7) create the locked.properties file. Add as following

keyfile=view-keys.p12

keypass=vmware2008

😎 Restart VMware Connection Server

Reply
0 Kudos
blublurr13
Contributor
Contributor

Thanks, It appears that it has something to do with Godaddy's SSL certificate, they use a intermediate CA certficate and i could not get it to work properly. i tried the FREE 21 day trial SSL cert that Thawte provides and it worked perfectly right from the start so I went ahead and purchased an SSL cert from them. Wish i could have used the Godaddy for $29 a year instead of Thawte for $149 a year, but guess you get what you pay for right? Smiley Happy wasted 4 days of my life on this crap.. Smiley Happy thanks again for the help thou and atleast hope this will help someone in the future that uses a godaddy cert.

Hey if anyone is ever able to get Godaddy cert to work post it up so i can use them for next year when renewal is up.

Reply
0 Kudos
mg123
Contributor
Contributor

I was able to use a godaddy ssl cert as follows

You cannot add an untrusted cert to a pkcs12 keystore

C:\Program Files\VMware\VMware View\Server\jre\bin>keytool -import -keystore keys.p12 -storetype pkcs12 -storepass yourstorepassword -keyalg "RSA" -trustcacerts -file yourfile.crt

keytool error: java.lang.Exception: Failed to establish chain from reply

You cannot add gd_bundle.crt to a pkcs12 keystore it will not accept root or intermediate certs.

You have to install the gd_bundle.crt to the default cacert store (changeit is the default password)

C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file gd_bundle.crt -keystore cacerts

Enter keystore password: changeit

Certificate was added to keystore

Then you can go back and add the cert. Once the cert is added to the store change locked.properties and you should be all set.

Reply
0 Kudos
tonstad
Contributor
Contributor

Jeg er på konferanse frem til den 27.02 og er kun delvis tilgjengelig.

Mvh / Best Regards

Asbjørn Tonstad

Reply
0 Kudos
dtabata
Contributor
Contributor

I got our godaddy certificates to work using a combination of information from this thread, kb article 1004836, and the help from someone at vmware's tech support.

I'll briefly outline the steps I took.

Create the csr.

keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360

keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storepass <secret> -alias <alias>

(use your password in place of <secret> and any alias instead of <alias>)

The certificate errored when I tried to import it without the alias argument.

Submit certificate.csr to goddady (refer to KB 1004836)

Create a PKCS12 certificate from , and choose Tomcat as web server type when exporting the certificate.

Import the godaddy cert (refer to KB 1004836)

Open the certificate file (yourdomain.crt) in Windows Explorer.

Click Details > Copy to File.

Click PKCS7.

Select Include Details of Certificate.

Save the file with a .P7B extension.

Run the keytool import command

keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg "RSA" -alias <alias> -trustcacerts -file certificate.p7b

(use the same <secret> and <alias> from when you created the csr)

I tried to import it the way that mg123 suggested before following the steps i listed above. You may need to import the gd_bundle.crt.

Hope that helps someone else. I wasted a few days messing around with this before finally getting it to work.

Reply
0 Kudos
jjgunn
Enthusiast
Enthusiast

Thank you tonstad!

6) Copy cert store (view-keys.p12) to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\

7) create the locked.properties file. Add as following

keyfile=view-keys.p12

keypass=vmware2008

😎 Restart VMware Connection Server

That is the one step I missed. I was on hold with vmware when I read this and resolved it before they answered the phone.

Appreciate your post!

vmview administrator 3.1.1 was completely down & inaccessible after installing the certificate until I did this.

Reply
0 Kudos
AUPhil
Enthusiast
Enthusiast

"vmview administrator 3.1.1 was completely down & inaccessible after installing the certificate until I did this."

Do you mind if I ask which "this" you are speaking of in your post? You seem to have 3 steps.

Thanks,

Phil

Reply
0 Kudos
jjgunn
Enthusiast
Enthusiast

Perform all steps above

Restart VMware Connection Server

These steps (provided by Tonstad) resolved the SSL cert issue for me. Hope this is helpful for you

Reply
0 Kudos
AUPhil
Enthusiast
Enthusiast

Thanks.

I get stuck on Tonstad's procedure between step 4 and 5. I still get the "too big" error the OP mentioned.

I'm using ipsCA's free *.edu certificate program, so I can't really complain.

I may have to open a case with VMware support on this one.

I don't (knowingly) have Windows Cert Server installed or running.

What's confusing is that ipsCA sends the certificates back as pkcs12 yet the VMware View instructions seem to indicate that they must be converted to p7b format before being imported back into a "keystore.p12" file......no?

Thanks,

Phil

Reply
0 Kudos
fookanen
Contributor
Contributor

The instructions for setting up SSL on View involve creating a CSR within keytool which in turn is submitted to a CA. In my case I needed to import a pre-existing wildcard certificate and key. For the wildcard cert, I created a CSR with a private key, I will refer to the private key as rsa.key. Once the CSR has been processed by the CA, the CA will most likely issue the cert in pem form (ascii text) which I will refer to as acsiicert.pem.

Once you have the asciicert.pem signed by the CA, you can use openssl to import the certificate and private key into a PKCS12 store using the following command:

openssl pkcs12 -export -in asciicert.pem -inkey rsa.key -out opensslcertkey.p12

You will then need to take the opensslcertkey.p12 and convert it using keytool to a keystore that keytool can understand. IMPORTANT: You will need to use a keytool.exe that ships with at least Java version 6 (jre-1.6) since the older versions of keytool do not support importing PKCS12 formats. In my case, the View 3.1 server ships with Java 5 and the keytool.exe was not able to perform the conversion. Therefore I simply used the keytool.exe on my workstation since it is Java 6. Here is the command that I used:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keys.p12 -srckeystore c:\Path\To\opensslcertkey.p12 -srcstoretype PKCS12 -storetype pkcs12 -srcstorepass <rsa.key_password> -alias 1

You can then copy the newly created keys.p12 file from your workstation to the conf directory and create the locked.properties file specifying keys.p12 and the destkeypass.

Hope this helps someone as I spent may hours trying to get the builtin Java (1.5) keytool to work to no avail.

Reply
0 Kudos