12 Replies Latest reply on Dec 15, 2009 7:47 AM by fookanen

    View 3.0 SSL Setup Help

    blublurr13 Novice

       

      Hello everyone i have just recently setup my VIEW environment and everything is working, but wanted to get rid of the self signed SSL cert that is loaded by default with our own so that the SSL error does not appear in hte web browser for our users.

       

       

      I have followed the steps in the View admin guide to the best of my knowledge, but when it comes time to run this command:

       

       

      keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg "RSA" -trustcacerts -file certificate.p7

       

       

      i get the following error response:

       

       

      keytool error: java.security.cert.CertificateException: java.io.IOException: Der

      InputStream.getLength(): lengthTag=126, too big.

       

       

      When i signed up for my SSL cert from godaddy i received 2 files the "vdi.domain.com.crt" and "gd_iis_intermediates.p7b" file which appears to be the PKCS7 format key that it wants to have renamed to certificate.p7. Not sure where to go from here anyone see what im missing?

       

       

       

       

       

      Thanks

       

       

        • 1. Re: View 3.0 SSL Setup Help
          blublurr13 Novice

          Someone please help me...

          • 2. Re: View 3.0 SSL Setup Help
            TomHowarth Guru
            vExpertUser Moderators

            Have you got this issue sorted yet?  I have moved this question to the View Manager forum

             

             

             

             

            If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

             

            Tom Howarth

            VMware Communities User Moderator

            Blog: www.planetvm.net

            • 3. Re: View 3.0 SSL Setup Help
              tonstad Novice

              Hi,

               

              Here are the steps I used to enable SSL using an internal CA server.

               

              1) Set path to keytool

               

              2) Generate certificate store:

              "keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360"

               

              3) Generate a certificate request:

              "keytool -certreq -keyalg "RSA" -file view.csr -keystore keys.p12 -storetype pkcs12 -storepass vmware2008"

               

              4) Using Windows Cert Server , select advanced, and "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."

               

              Download the certificate chain and store the file as a .P7 file

               

              5) Import the certificate:

              "keytool -import -keystore keys.p12 -storetype pkcs12 -storepass vmware2008 -keyalg "RSA" -trustcacerts -file view-keys.p7"

               

              6) Copy cert store (view-keys.p12) to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\

               

              7) create the locked.properties file. Add as following

               

              keyfile=view-keys.p12

              keypass=vmware2008

               

              8) Restart VMware Connection Server

              • 4. Re: View 3.0 SSL Setup Help
                blublurr13 Novice

                 

                Thanks, It appears that it has something to do with Godaddy's SSL certificate, they use a intermediate CA certficate and i could not get it to work properly. i tried the FREE 21 day trial SSL cert that Thawte provides and it worked perfectly right from the start so I went ahead and purchased an SSL cert from them. Wish i could have used the Godaddy for $29 a year instead of Thawte for $149 a year, but guess you get what you pay for right? wasted 4 days of my life on this crap.. thanks again for the help thou and atleast hope this will help someone in the future that uses a godaddy cert.

                 

                 

                Hey if anyone is ever able to get Godaddy cert to work post it up so i can use them for next year when renewal is up.

                 

                 

                • 5. Re: View 3.0 SSL Setup Help
                  mg123 Novice

                   

                  I was able to use a godaddy ssl cert as follows

                   

                   

                  You cannot add an untrusted cert to a pkcs12 keystore

                   

                   

                  C:\Program Files\VMware\VMware View\Server\jre\bin>keytool -import -keystore keys.p12 -storetype pkcs12 -storepass yourstorepassword -keyalg "RSA" -trustcacerts -file yourfile.crt

                   

                   

                  keytool error: java.lang.Exception: Failed to establish chain from reply

                   

                   

                  You cannot add gd_bundle.crt to a pkcs12 keystore it will not accept root or intermediate certs.

                   

                   

                  You have to install the gd_bundle.crt to the default cacert store (changeit is the default password)

                   

                   

                  C:\Program Files\VMware\VMware View\Server\jre\lib\security>keytool -import -file gd_bundle.crt -keystore cacerts

                   

                   

                  Enter keystore password:  changeit

                   

                   

                  Certificate was added to keystore

                   

                   

                   

                   

                   

                  Then you can go back and add the cert. Once the cert is added to the store change locked.properties and you should be all set.

                   

                   

                  • 6. Re: View 3.0 SSL Setup Help
                    tonstad Novice

                    Jeg er på konferanse frem til den 27.02 og er kun delvis tilgjengelig.

                     

                    Mvh / Best Regards

                    Asbjørn Tonstad

                    • 7. Re: View 3.0 SSL Setup Help
                      dtabata Lurker

                       

                      I got our godaddy certificates to work using a combination of information from this thread, kb article 1004836, and the help from someone at vmware's tech support.

                       

                       

                      I'll briefly outline the steps I took.

                       

                       

                      Create the csr.

                      keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360

                      keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storepass <secret> -alias <alias>

                      (use your password in place of <secret> and any alias instead of <alias>)

                      The certificate errored when I tried to import it without the alias argument.

                       

                       

                      Submit certificate.csr to goddady (refer to KB 1004836)

                      Create a PKCS12 certificate from http://www.godaddy.com/, and choose Tomcat as web server type when exporting the certificate.

                       

                       

                      Import the godaddy cert (refer to KB 1004836)

                      Open the certificate file (yourdomain.crt) in Windows Explorer.

                      Click Details > Copy to File.

                      Click PKCS7.

                      Select Include Details of Certificate.

                      Save the file with a .P7B extension.

                      Run the keytool import command

                      keytool -import -keystore keys.p12 -storetype pkcs12 -storepass <secret> -keyalg "RSA" -alias <alias> -trustcacerts -file certificate.p7b

                      (use the same <secret> and <alias> from when you created the csr)

                       

                       

                      I tried to import it the way that mg123 suggested before following the steps i listed above.  You may need to import the gd_bundle.crt.

                       

                       

                      Hope that helps someone else.  I wasted a few days messing around with this before finally getting it to work.

                       

                       

                      • 8. Re: View 3.0 SSL Setup Help
                        jjgunn Enthusiast

                         

                        Thank you tonstad!

                         

                         

                        6) Copy cert store (view-keys.p12) to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\

                         

                         

                        7) create the locked.properties file. Add as following

                         

                        keyfile=view-keys.p12

                        keypass=vmware2008

                         

                        8) Restart VMware Connection Server

                         

                         

                        That is the one step I missed. I was on hold with vmware when I read this and resolved it before they answered the phone.

                         

                         

                        Appreciate your post!

                         

                         

                        vmview administrator 3.1.1 was completely down & inaccessible after installing the certificate until I did this.

                         

                         

                        • 9. Re: View 3.0 SSL Setup Help
                          AUPhil Enthusiast

                           

                          "vmview administrator 3.1.1 was completely down & inaccessible after installing the certificate until I did this."

                           

                           

                          Do you mind if I ask which "this" you are speaking of in your post? You seem to have 3 steps.

                           

                           

                          Thanks,

                          Phil

                           

                           

                          • 10. Re: View 3.0 SSL Setup Help
                            jjgunn Enthusiast

                            Perform all steps above

                             

                            Restart VMware Connection Server

                             

                            These steps (provided by Tonstad) resolved the SSL cert issue for me. Hope this is helpful for you

                            • 11. Re: View 3.0 SSL Setup Help
                              AUPhil Enthusiast

                               

                              Thanks.

                               

                               

                              I get stuck on Tonstad's procedure between step 4 and 5. I still get the "too big" error the OP mentioned.

                               

                               

                              I'm using ipsCA's free *.edu certificate program, so I can't really complain.

                               

                               

                              I may have to open a case with VMware support on this one.

                               

                               

                              I don't (knowingly) have Windows Cert Server installed or running.

                               

                               

                              What's confusing is that ipsCA sends the certificates back as pkcs12 yet the VMware View instructions seem to indicate that they must be converted to p7b format before being imported back into a "keystore.p12" file......no?

                               

                               

                              Thanks,

                               

                               

                              Phil

                               

                               

                              • 12. Re: View 3.0 SSL Setup Help
                                fookanen Lurker

                                 

                                The instructions for setting up SSL on View involve creating a CSR within keytool which in turn is submitted to a CA.  In my case I needed to import a pre-existing wildcard certificate and key.  For the wildcard cert, I created a CSR with a private key, I will refer to the private key as rsa.key.  Once the CSR has been processed by the CA, the CA will most likely issue the cert in pem form (ascii text) which I will refer to as acsiicert.pem.

                                 

                                 

                                Once you have the asciicert.pem signed by the CA, you can use openssl to import the certificate and private key into a PKCS12 store using the following command:

                                 

                                 

                                openssl pkcs12 -export -in asciicert.pem -inkey rsa.key -out opensslcertkey.p12

                                 

                                 

                                  You will then need to take the opensslcertkey.p12 and convert it using keytool to a keystore that keytool can understand.  IMPORTANT: You will need to use a keytool.exe that ships with at least Java version 6 (jre-1.6) since the older versions of keytool do not support importing PKCS12 formats.   In my case, the View 3.1 server ships with Java 5 and the keytool.exe was not able to perform the conversion.  Therefore I simply used the keytool.exe on my workstation since it is Java 6.  Here is the command that I used:

                                 

                                 

                                keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keys.p12 -srckeystore c:\Path\To\opensslcertkey.p12 -srcstoretype PKCS12 -storetype pkcs12 -srcstorepass <rsa.key_password> -alias 1

                                 

                                 

                                You can then copy the newly created keys.p12 file from your workstation to the conf directory and create the locked.properties file specifying keys.p12 and the destkeypass.

                                 

                                 

                                 

                                 

                                 

                                Hope this helps someone as I spent may hours trying to get the builtin Java (1.5) keytool to work to no avail.