VMware Horizon Community
lds4989
Contributor
Contributor
‎05-10-2015 09:56 PM

Multible Certificates

hey volks,

We use the following scenario:

VMware 5.1 Security Server (DMZ LEVEL) -> VMware 5.1 Connection Server (LAN LEVEL) -> VMware 5.1 Vcenter Server (LAN LEVEL)

We have a CA installed and all the above server/application have their internal CA cert what works just fine.

Now, we're planning to have the Security Server served by a verisign certificate so the clients are not required (as now) to have the root ca cert installed, instead they should work with the verisign cert on that level. Unfortunately we tried to replace the cert on the Security Server, but without success.

So, what did we wrong? We deleted the internal ca cert on the Securiy Server, placed the verisign certificate on it, restarted the VMware components. After this the https test shows us the verisign certificate, but a vmware view session was dropped due to invalid SSL

Is it required that the verisign cert has as friendly name vdm? This is the only thing we believe that was not set yet.

Also, when the connection between Security Server and Connections server is allowed only by SSL, would it work to have the verisign on the security Server, but on the connection server just a internal CA cert? (in my opinion yes, as the Connection server has also the verisign root ca, and can trust the server authentication anymore).

Thanks for any tips on this!

BR,
Matthias

0 Kudos
3 Replies
Linjo
Leadership
Leadership
‎05-10-2015 11:18 PM

Yes, you are spot on, the friendly name needs to be "vdm".

When the broker starts up it looks for that friendly name to know what cert to use.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
lds4989
Contributor
Contributor
‎05-11-2015 12:38 AM

Hey Linjo,

Thanks for your response. As far as i know just one cert can have the FN VDM, right? So, if i give it to the verisign cert, how does the internal ssl-routes realize that there is another ssl cert for the internal dns? As there is no way how i can give the verisign the internal dns names as SAN's .... any suggestions about this scenario? Or i'm wrong and the internal connections  between Security Gateway and Connection server do not need the VDM tag?

BR,

Matthias

0 Kudos
Linjo
Leadership
Leadership
‎05-11-2015 06:56 AM

Well, technically there can be more then one with "vdm" as the friendly name but the connection-server will only use the first one it encounters with that name.

You could use subject alternate names on the cert or stand up another connection server for the internal users.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
0 Kudos