Hdeuxo
Contributor
Contributor

Issue with certificate on View Composer

Jump to solution

Hello,

I will try to explain my issue as well as I can.

I have upgraded my server view composer from 5.2 to 6.2. And I would like to replace the default certificate by my own generate by my internal CA (on our DC).

I have created a requet.inf found here : VMware KB: Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View

And replace the CN, OU, O, etc by my information. Here the content :

;----------------- request.inf -----------------
[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]

; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require

;-----------------------------------------------


After I generated the CSR with the following command : certreq -new request.inf certreq.txt


After I generated the certificate with our CA in DER64.


In the mmc on the server composer I import the certificate. Always go right.


And the last thing is to replace the default certificate with the SVI command : SviConfig ReplaceCertificate


It is done. I restart the Composer server go to the dashboard to see the flag. But I got a redflag on the Composer with the following message : server certificate does not match the url


I searched this message on Google and the error appear to be in the "CN", I verified the synthax and the name of the server (FQDN) are correctly write. I also see that we can use SAN (subject alternative Name).


But I always got the same error.



Someone have an idea about that ?


Best regards,

0 Kudos
27 Replies
Hdeuxo
Contributor
Contributor

Yes the composer is at 6.2 and the connection in 5.2.

I will upgrade the connection server today.

I hope it will resolve all our issue. We are unable to modify the pool, we are also unable to recompose or adding new desktop in linked clone pool.

0 Kudos
Hdeuxo
Contributor
Contributor

Hello,

The upgrade is now done on our connection server. We are now in 6.2. But unfortunately always the same error with the certificates.

Thanks for your time,

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee

Installing on a new Server would not be a good idea.

I would say troubleshoot the connection server upgrade Failure . %temp% would have the vminst_failed logs plus also attach the screenshot

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee

Apologies that was getting auto saved please ignore the previous comment.Alright now back to square on Composer certificates does not work as expected. Please share the outcome from below step

If you use sviconfig replace utility to revert to default certs does the certificate error go away ?

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14

View solution in original post

0 Kudos
Hdeuxo
Contributor
Contributor

Here the steps that I followed :

- Stopping service VMWare Composer

- Using "sviconfig" => C:\Program Files (x86)\VMware\VMware View Composer> "SviConfig.exe -operation=replacecertificate -delete=false"


The output of this command show me the 6 certificates witch I found in the  certificate store. I choose one of the old certificate by entering the number and got :


Unbind certificate from the port 18443 successfully.

Bind the new certificate to the port.

ReplaceCertificate operation completed successfully.

- After I restart the View Composer Service.

But I always see the error and when I push "Verified", I got two news errors :

1) "Le nom de l'objet du certificat du serveur ne correspond pas à l'URL externe du serveur" => Translate : The object name of the certificate does not match to the extern URL of the server.

2) "Le certificat de serveur n'est pas approuvé." => Translate : The certificate of the server is not approved.

The thing that disturbed me is that I don't see the version of the View Composer in the pop-up for the certificate. I don't know if it linked to my issue.

Best regards,

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee

Have a look at  this

How-to: Find Composer Certificate in VMware Horizon View Administrator - VMware Consulting Blog - VM...

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor

Hello,

It is now working with an older default certificate. But with our own certificate from our CA it still don't working.

Best regards,

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee

Alright . You are using an Internal CA. Can you have a rough walkthrogh this.

https://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-obtaining-certificates.p...

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos