VMware Horizon Community
caddo
Enthusiast
Enthusiast

Horizon View Self-Signed Certs Green in the Dashboard

Hi all,

this is a very simple question as i want to "convince" Horizon View Dashboard to give me all green lights about SSL Certs using the self-signed certificates.

I'm running Horizon View 6.0.1.

The components that can be red are:

- vCenter

- Composer

- Connection Servers

- Security Servers

For the first two it's pretty straightforward since you can just accept the thumbprint fro the View Administrationg Dashboard.

For the Connection Servers all you have to do is to import the all Connection Servers certificates into the certificate stores of all Connection Servers under the trusted CA.

I still can't find a way to make the security server green.

Anyone managed to make it green using the self-signed certs?

Thank you!

Reply
0 Kudos
15 Replies
kgsivan
VMware Employee
VMware Employee

If I understand your question correctly you need to add all view servers certificate root ca to its trusted certificate.

Reply
0 Kudos
caddo
Enthusiast
Enthusiast

Hi,

thank you for your answer but this doesn't solve my problem.

When you use default self-signed certificate every connection server or security server will generate a certificate and be its own ca, so in this case you don't end up with a chain of certificates (as with the tipical rootca > sub ca > certificate) but you get one cert that will work as both cert and ca.

In the case of connection servers I just proceed as you described and the View Administrator Dashboard will be happy:

Screen Shot 2015-03-10 at 18.09.29.png

But if I do the same with the security server it won't be enough to convince the dashboard it's a valid SSL Certificate:

Screen Shot 2015-03-10 at 18.11.01.png

In this demo environment there is one connection server (which trusts its own certificate and the security server certificate) and one security server (which trusts its own certificate and the connection server certificate)

So since I did already what you suggested, what else is left to try?

Thank you.

Reply
0 Kudos
nzorn
Expert
Expert

Check out the registry key in this article: http://kb.vmware.com/kb/2000063

I think that is what you're looking for.

Reply
0 Kudos
caddo
Enthusiast
Enthusiast

Nope,  I tried that KB already because I was sure it would solve my problem but with no luck, still the same behaviour you can see in the screenshot.

Reply
0 Kudos
caddo
Enthusiast
Enthusiast

* PING *

Reply
0 Kudos
JackMac4
Enthusiast
Enthusiast

You cannot trust a self signed certificate and make all the lights green. However, you can very easily get a certificate from ANY root CA that you create, internal, external or otherwise. Even if it's just for View. The only requirement is that it's not self signed but rather issued from a CA, any CA.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
Reply
0 Kudos
caddo
Enthusiast
Enthusiast

I was afraid this would be the answer I would get.

Just out of curiosity, can you explain how is the process of validating certificates between connection server and security server? I mean, I managed to trust the self-signed certs from the connection server (green light) but not the one for the security server.

Thank you for your help.

Reply
0 Kudos
JackMac4
Enthusiast
Enthusiast

Oh I'm sorry, I misunderstood your question. I think there might be a way to force the issue like you want, but I don't think so. Let me look into it real quick and I'll try to get something back to you.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
Reply
0 Kudos
JackMac4
Enthusiast
Enthusiast

Did you turn off revocation checking on the SS?

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
Reply
0 Kudos
JackMac4
Enthusiast
Enthusiast

caddo wrote:

I was afraid this would be the answer I would get.

Just out of curiosity, can you explain how is the process of validating certificates between connection server and security server? I mean, I managed to trust the self-signed certs from the connection server (green light) but not the one for the security server.

Thank you for your help.

There isn't a process of validating between them, but they are both trying to validate the certificate they have been assigned. More than likely you have have a mismatch on the SS from the name it's attempting to use versus the name that's in the self signed certificate.

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
Reply
0 Kudos
caddo
Enthusiast
Enthusiast

I already check that without finding any mismatch, but I don't remember what I saw in there so I will check again and report back to me.

What's strange is that these are the default self-signed certificates that are created by the Horizon View installer so I don't see how this would be happening to me only.

Reply
0 Kudos
caddo
Enthusiast
Enthusiast

Yes, revocation checking is turned off on both SS and CS.

Reply
0 Kudos
caddo
Enthusiast
Enthusiast

*** PING ***

Reply
0 Kudos
JackMac4
Enthusiast
Enthusiast

Have you imported the SS's self signed cert info the CS's trusted root store?

---- Jack McMichael | Sr. Systems Engineer VMware End User Computing Contact me on Twitter @jackwmc4
Reply
0 Kudos
caddo
Enthusiast
Enthusiast

Yes, I did.

Reply
0 Kudos