Bart_Verbruggen
Enthusiast
Enthusiast

Horizon View 6.0.1 Connection server certificate replacement

I installed the new VMware horizon View 6.0.1.

On the connection server normally you can replace the standard certificate with a custom certificate.

Normally the only thing we need to do is change the friendly name to vdm and restart the services.

I did this and when starting the VMware Horizon View Blast Secure Gateway service I get an error.

Windows could not start the VMware Horizon Blast Secure Gateway service on Local Computer.

In the absg.log I see following message: keystoreutil.exe failed to load certificate from  [ 'windows-local-machine', 'MY', 'vdm' ] 1 Failed to acquire private key handle (error 2148073492)

Has someone seen this before?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks! Bart
14 Replies
Gaurav_Baghla
VMware Employee
VMware Employee

Three Requirements for Certificates

Friendly Name:Vdm

Subject Alternative name :Fqdn or the URl connecting to

Private Key:Exportable

Refer to this applicable for 6.0 http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-obtaining-certificates.pd...

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Bart_Verbruggen
Enthusiast
Enthusiast

All three requirements are met for my certificate.

Friendly name = vdm

SAN = servername shortname + FQDN + generic url

Private key is marked as exportable.

Also tried to generate the certificate on a Windows 2008 R2 server instead of my windows 2012 R2 (view connection server).

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks! Bart
0 Kudos
vFellow
VMware Employee
VMware Employee

Is this the procedure you are following: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203240...?

Are you importing the certificate to the right store (local computer (physical))?

If you have imported it wrongly, and moved the certificate late on, it can give you some permissions errors (like this) – simply try re-import the certificate.

0 Kudos
Bart_Verbruggen
Enthusiast
Enthusiast

Yes, I used this procedure.

I have imported the certificate multiple times over and over again.

I also tried to run the Blast secure gateway service as a domain account (with local admin rights on the server) without success.

Still unable to start the service.

The VDI management admin page https://localhost/admin displays me "This page can't be displayed"

When I switch back to the own generated certificate (installed by the setup), all this works fine.

No idea why I cannot use a own internal certificate for this.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks! Bart
0 Kudos
ASRIS
Enthusiast
Enthusiast

I'm having the exact same issue after following all the KB steps.  I believe it may be a bug in 6.0.1.

0 Kudos
kgsivan
VMware Employee
VMware Employee

Could you please confirm, If you are facing this issue in fresh installation or upgraded one?

More Details / Logs will be helpful to diagnose the issue.

0 Kudos
Zaim33
Enthusiast
Enthusiast

I've had this problem in the past and it was because the private key wasn't exportable.

Can you check it's definitely exportable by importing into the Computer certificate store and then trying to export it from the store. If 'Yes, export the private key' is greyed out then the private key is not exportable and the View Connection server is unable to apply the certificate as expected.

In the end this was down to how I obtained the certificate from the PKI in the first instance...think it was down to the format I had the certificate at (sorry, can't remember which format worked).

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
MauriceD
Contributor
Contributor

Thank you, I had this problem too until now. (VMware 5.5, Blast and View 5.3)

Certificate expired, importing new certificate.

Could not get Secure Gateway or Connection Server running, stuck in "paused", in fact SG appears to blue screen and restart every few hours(?).

Same error in log about not being able to get key.

The solution, finally, was to check "make private key exportable" when importing the same new (Thawte signed) certificate into the Certificate Stores for those two servers.

Obviously I missed that step with previous instructions.

very important, thank you again.

Jacob_Wilde
Contributor
Contributor

For me this was either a bad cert import or UAC interfering with the cert import, disabled UAC, deleted and re-imported the cert and the error went away (unfortunately not my overall issue) but I was able to get my VMware Horizon View Blast Secure Gateway service to run and not get stuck in a paused state.

Hope this helps!

Jacob

0 Kudos
CplQ
Contributor
Contributor

I had this issue and it turned out to be that the certificate keys were not exportable. Once I enrolled an new cert with an exportable key, the services would start without a problem.

0 Kudos
PraveshIlionx
Contributor
Contributor

Did you ever manage to resolve the issues?

We are experiencing the exact same thing.

Private key is exportable

No SANs though, we use a wildcard certificate

Complete certificate chain is in place

Friendly name = vdm

0 Kudos
PraveshIlionx
Contributor
Contributor

We were able to solve our issues, our Wildcard certificate was created using the CNG Key Template which is unsupported by View, you have to use the Legacy Key Template.

0 Kudos
GordonPM
Enthusiast
Enthusiast

In case anyone else comes across this issue where the service is paused service paused there are two issues we found where this occurs:

Either:

The SSL certificate has been incorrectly constructed before import (key or pfx constructed improperly)

Or:

When importing the server certificate on a Windows Server if you fail to tick the box "Mark this key as exportable" you get this error

0 Kudos
wakeman811
Enthusiast
Enthusiast

Hi All,

So the blast service is the most temperamental of all of the services when replacing certificates. Always make sure to refresh the services mmc when starting the horizon connection server to ensure blast actually stays running as it will commonly start then immediately stop once it detects an issue with the 'vdm' certificate.

This is my favorite kb to follow when generating 'vdm' certificates for view environments.

Generating a Horizon View SSL certificate request using the Microsoft Management Console (MMC) Certi...

The following points are most important:

10. In the Custom Request section, select (No Template) Legacy Key in the dropdown.

18. Click Key Options > Key Size, and set the value to 2048.

19. Click Key Options and ensure Make Private Key Exportable is selected.

Also for thoose who use an internal AD CA ensure the proper template is in use, ie not v3 2008 template

Troubleshooting Certificate Issues on View Connection Server and Security Server

  • The certificate was generated from a v3 certificate template, for a Windows Server 2008 or later server. View cannot detect a private key, but if you use the Certificate snap-in to examine the Windows certificate store, the store indicates that there is a private key.

Hope this helps everyone.

0 Kudos