I installed the new VMware horizon View 6.0.1.
On the connection server normally you can replace the standard certificate with a custom certificate.
Normally the only thing we need to do is change the friendly name to vdm and restart the services.
I did this and when starting the VMware Horizon View Blast Secure Gateway service I get an error.
Windows could not start the VMware Horizon Blast Secure Gateway service on Local Computer.
In the absg.log I see following message: keystoreutil.exe failed to load certificate from [ 'windows-local-machine', 'MY', 'vdm' ] 1 Failed to acquire private key handle (error 2148073492)
Has someone seen this before?
Three Requirements for Certificates
Subject Alternative name :Fqdn or the URl connecting to
Refer to this applicable for 6.0 http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-obtaining-certificates.pd...
All three requirements are met for my certificate.
Friendly name = vdm
SAN = servername shortname + FQDN + generic url
Private key is marked as exportable.
Also tried to generate the certificate on a Windows 2008 R2 server instead of my windows 2012 R2 (view connection server).
Is this the procedure you are following: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203240...?
Are you importing the certificate to the right store (local computer (physical))?
If you have imported it wrongly, and moved the certificate late on, it can give you some permissions errors (like this) – simply try re-import the certificate.
Yes, I used this procedure.
I have imported the certificate multiple times over and over again.
I also tried to run the Blast secure gateway service as a domain account (with local admin rights on the server) without success.
Still unable to start the service.
The VDI management admin page https://localhost/admin displays me "This page can't be displayed"
When I switch back to the own generated certificate (installed by the setup), all this works fine.
No idea why I cannot use a own internal certificate for this.
I've had this problem in the past and it was because the private key wasn't exportable.
Can you check it's definitely exportable by importing into the Computer certificate store and then trying to export it from the store. If 'Yes, export the private key' is greyed out then the private key is not exportable and the View Connection server is unable to apply the certificate as expected.
In the end this was down to how I obtained the certificate from the PKI in the first instance...think it was down to the format I had the certificate at (sorry, can't remember which format worked).
Thank you, I had this problem too until now. (VMware 5.5, Blast and View 5.3)
Certificate expired, importing new certificate.
Could not get Secure Gateway or Connection Server running, stuck in "paused", in fact SG appears to blue screen and restart every few hours(?).
Same error in log about not being able to get key.
The solution, finally, was to check "make private key exportable" when importing the same new (Thawte signed) certificate into the Certificate Stores for those two servers.
Obviously I missed that step with previous instructions.
very important, thank you again.
For me this was either a bad cert import or UAC interfering with the cert import, disabled UAC, deleted and re-imported the cert and the error went away (unfortunately not my overall issue) but I was able to get my VMware Horizon View Blast Secure Gateway service to run and not get stuck in a paused state.
Hope this helps!
I had this issue and it turned out to be that the certificate keys were not exportable. Once I enrolled an new cert with an exportable key, the services would start without a problem.
Did you ever manage to resolve the issues?
We are experiencing the exact same thing.
Private key is exportable
No SANs though, we use a wildcard certificate
Complete certificate chain is in place
Friendly name = vdm
In case anyone else comes across this issue where the service is paused service paused there are two issues we found where this occurs:
The SSL certificate has been incorrectly constructed before import (key or pfx constructed improperly)
When importing the server certificate on a Windows Server if you fail to tick the box "Mark this key as exportable" you get this error
So the blast service is the most temperamental of all of the services when replacing certificates. Always make sure to refresh the services mmc when starting the horizon connection server to ensure blast actually stays running as it will commonly start then immediately stop once it detects an issue with the 'vdm' certificate.
This is my favorite kb to follow when generating 'vdm' certificates for view environments.
The following points are most important:
10. In the Custom Request section, select (No Template) Legacy Key in the dropdown.
18. Click Key Options > Key Size, and set the value to
19. Click Key Options and ensure Make Private Key Exportable is selected.
Also for thoose who use an internal AD CA ensure the proper template is in use, ie not v3 2008 template
Hope this helps everyone.