Hi all,
this is a very simple question as i want to "convince" Horizon View Dashboard to give me all green lights about SSL Certs using the self-signed certificates.
I'm running Horizon View 6.0.1.
The components that can be red are:
- vCenter
- Composer
- Connection Servers
- Security Servers
For the first two it's pretty straightforward since you can just accept the thumbprint fro the View Administrationg Dashboard.
For the Connection Servers all you have to do is to import the all Connection Servers certificates into the certificate stores of all Connection Servers under the trusted CA.
I still can't find a way to make the security server green.
Anyone managed to make it green using the self-signed certs?
Thank you!
If I understand your question correctly you need to add all view servers certificate root ca to its trusted certificate.
Hi,
thank you for your answer but this doesn't solve my problem.
When you use default self-signed certificate every connection server or security server will generate a certificate and be its own ca, so in this case you don't end up with a chain of certificates (as with the tipical rootca > sub ca > certificate) but you get one cert that will work as both cert and ca.
In the case of connection servers I just proceed as you described and the View Administrator Dashboard will be happy:
But if I do the same with the security server it won't be enough to convince the dashboard it's a valid SSL Certificate:
In this demo environment there is one connection server (which trusts its own certificate and the security server certificate) and one security server (which trusts its own certificate and the connection server certificate)
So since I did already what you suggested, what else is left to try?
Thank you.
Check out the registry key in this article: http://kb.vmware.com/kb/2000063
I think that is what you're looking for.
Nope, I tried that KB already because I was sure it would solve my problem but with no luck, still the same behaviour you can see in the screenshot.
* PING *
You cannot trust a self signed certificate and make all the lights green. However, you can very easily get a certificate from ANY root CA that you create, internal, external or otherwise. Even if it's just for View. The only requirement is that it's not self signed but rather issued from a CA, any CA.
I was afraid this would be the answer I would get.
Just out of curiosity, can you explain how is the process of validating certificates between connection server and security server? I mean, I managed to trust the self-signed certs from the connection server (green light) but not the one for the security server.
Thank you for your help.
Oh I'm sorry, I misunderstood your question. I think there might be a way to force the issue like you want, but I don't think so. Let me look into it real quick and I'll try to get something back to you.
Did you turn off revocation checking on the SS?
caddo wrote:
I was afraid this would be the answer I would get.
Just out of curiosity, can you explain how is the process of validating certificates between connection server and security server? I mean, I managed to trust the self-signed certs from the connection server (green light) but not the one for the security server.
Thank you for your help.
There isn't a process of validating between them, but they are both trying to validate the certificate they have been assigned. More than likely you have have a mismatch on the SS from the name it's attempting to use versus the name that's in the self signed certificate.
I already check that without finding any mismatch, but I don't remember what I saw in there so I will check again and report back to me.
What's strange is that these are the default self-signed certificates that are created by the Horizon View installer so I don't see how this would be happening to me only.
Yes, revocation checking is turned off on both SS and CS.
*** PING ***
Have you imported the SS's self signed cert info the CS's trusted root store?
Yes, I did.