RachelW
Enthusiast
Enthusiast

Certificates and BLAST

We are currently receiving a certificate error with connecting to our new Horizon 7.8 Farm via a browser. It appears the certificate error relates to the BLAST certificate.  I have gone through this VMware KB (VMware Knowledge Base ) and followed the steps on the Golden image but the error persists.

When I look at the certificate error via the Chrome browser, this is what it looks like:

BlastCertError.jpg

I have imported the Blast certificate into the Trusted Root Certificate and the intermediate Certificate stores on the Golden image however the error persists.  It already exists in the Personal Certificates store.  One of the strange things is when I copy the Thumbprint of our wildcard certificate for our local domain and paste it in the sslhash value of the  HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config registry key the  pasted value does not stay after a restart of the Golden Image.

The strange thing is at one time this was working but we do not know when it stopped working; possible when we introduced the UAGs.

We are very frustrated and looking for any suggestions.

Thank you! 

0 Kudos
6 Replies
cbaptiste
Hot Shot
Hot Shot

Request a wildcard cert from your internal CA.
You can not use the the blast certificate in your screenshot for that purpose. You are not following the KB hence why you are having issues.

Change the Certificate on the virtual machine to satisfy SSL validation

Using a wildcard certificate is likely be the most practical. If you are connecting to a virtual machine with Hostname using a wildcard certificate should match.

For example: Hostname vm1.vm.company.com using a wildcard certificate *.vm.company.com or *.company.com should match.

This is also a very important step as well as the view agent by default connects using ip address.

Update the View Agent ADM Template Settings for the Agent VMs

Enable the Connect using DNS Name GPO configuration setting.

0 Kudos
RachelW
Enthusiast
Enthusiast

We have a wildcard certificate for our domain (internal and external) applied to the machine.  And following that KB I have copied the Thumbprint of the wildcard cert to the SSLHash for the Blast entry in the registry.  The strange thing is the SSLHash value changes after a restart of the Blast service on the Golden Image or reboot of the Golden Image. What would cause the value to change?

Regarding the "Connect using DNS Name" GPO setting would this be for the Image/desktops and NOT the connection servers?

0 Kudos
cbaptiste
Hot Shot
Hot Shot

I have been busy dealing with some issues at work. Did you ever get this resolved. I believe the SSLHash registry would revert if it can not find the certificate in the store. Also import the certificate as importable.

Yes, that would be done on your golden image or perhaps your clones. Not sure if that is something that requires a reboot. I would do it on the parent image.

0 Kudos
RhofmanZ
Contributor
Contributor

Can you please try this script? You can add it as a startup script, computer policy.

As pre-req you will need to create a template that has exportable private key and the DNS name as certificate name.

Or you can adjust the "Computer template", but then you need to change the script.

This way it is not in the goldenimage.

<#

************************************************************************************************************************

Ceator : Ralph Hofman
Company: RHofman IT   

Created: 15-01-2020 

Version:    1.0

Purpose:  

# Change Log

  1. 1.0.0 - 15-01-2020    -   Initial Release.

************************************************************************************************************************

#>

#Prereq Certificate Variable

    # Set hostname

    $hostname = hostname

    # Get the thumbprint from the right certificate

    $thumb = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {$_.subject -match $hostname}).Thumbprint

    # Insert spaces between every 2 characters just like a real thumbprint

    if ($thumb -eq $Null){

    Write-Host "No Thumbprint found"

     } Else {  

    $regthumb = $thumb.insert(2," ").insert(5," ").insert(8," ").insert(11," ").insert(14," ").insert(17," ").insert(20," ").insert(23," ").insert(26," ").insert(29," ").insert(32," ").insert(35," ").insert(38," ").insert(41," ").insert(44," ").insert(47," ").insert(50," ").insert(53," ").insert(56," ")

}

    # Display the thumbprint to verify

    $Currentumb = (get-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\VMware Blast\Config").SslHash

# Function

    if ($regthumb -eq $Currentumb ) {

    Write-host "Keys is the same"

    } Else {

        # Request computernamed certificate at the AD enrollment server

        # with ComputerHorizon template

        # Template > issued by CA, subjectname = DNS, Privatekey = Exportable

        certreq -Enroll -machine -q "ComputerHorizon"

$hostname = hostname

        # Get the thumbprint from the right certificate

        $thumb = (Get-ChildItem -Path cert:\LocalMachine\my | Where-Object {$_.subject -match $hostname}).Thumbprint

        # Insert spaces between every 2 characters just like a real thumbprint

        $regthumb = $thumb.insert(2," ").insert(5," ").insert(8," ").insert(11," ").insert(14," ").insert(17," ").insert(20," ").insert(23," ").insert(26," ").insert(29," ").insert(32," ").insert(35," ").insert(38," ").insert(41," ").insert(44," ").insert(47," ").insert(50," ").insert(53," ").insert(56," ")

Set-ItemProperty -Path "HKLM:\SOFTWARE\VMware, Inc.\VMware Blast\Config" -Name "SslHash" -Value $regthumb

        # Fill the SslHash for Blast to use the computernamed certificate

        # Restart the Blast service to take effect

        Restart-Service -Name VMBlast -Force

    }

Kind regards,

Ralph Hofman

0 Kudos
chsa_topsoe
Contributor
Contributor

I also have this issue now. However, in my case, the impact is limited to HTML connections via the internal (non-UAG) route.

The first line in resolution section of this KB article says "We would advise using blast secure gateway for HTML access to the machine.".

Now, FIRST, I check my both connection servers and see below setting set to "Do not use Blast Secure Gateway":-

chsa_topsoe_1-1637193226203.png

So, should I change this to second radio button "Use Blast Secure Gateway for only HTML Access connections to machine"? Or, why not the first radio button to connect machines via Blast? BSG is for good, I think, and there should not be any harm to select first radio button in that case. 

If changing above BSG setting helps to solve the original problem of "certificate issue for HTML connection via Internal route", then I can leave the invalid Blast certificate as is in the VDI's, I guess.

SECOND:- My Golden Image is not registered on domain to avoid any GPO's. So, if Machine certificate still needed, then where is it suggested to create the CSR (not clear in KB) for internal CA's wildcard certificate - Should I create CSR on non-domain GI (The AD certificate template not available and create manual certificate) - Or, can the CSR be created from any non-persistent VDI (domain joined, of course) also, and just remember to preserve the Private Key in that case.

Tags (3)
0 Kudos
chsa_topsoe
Contributor
Contributor

FYI, problem solved by changing the option in Horizon Admin console to the option "Use Blast Secure Gateway for only HTML Access connections to machine".

No action done on Blast certificate. The HTML connections via internal route started working just with above change in my environment.

Thanks - just posting this comment in case someone ever faces this issue again.

0 Kudos