VMware Horizon Community
BarryUWSEFS
Enthusiast
Enthusiast
‎06-01-2020 04:03 PM
Jump to solution

The AddTrust External CA Root, however, expires on May 30th 2020.

Horizon 7.11, 1 UAG and 1 Connection server.

This old legacy CA root is on our Connection server. It is affecting some very old legacy WYSE clients, which is expected. However it is not affecting our other users with the Horizon client on their PC's, with the exception of one person. One person is getting a certificate error and cannot connect. They are on a 5 year old PC with Winodws 7, it should work.

I think the best practice would be to clean up the certificate chain and remove the old certs, but not positive on the correct steps in the Connection server. Any guidance appreciated. Image of cert store attached.certs.JPG

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
BarryUWSEFS
Enthusiast
Enthusiast
‎06-02-2020 08:52 AM
Jump to solution

I ended up downloading an intermediate certificate bundle from our cert provider, both InCommon RSA Server CA, and USERTrust RSA Certification Authority, and imported those in to the intermediate certificate store. I deleted the two expired certificates. Restarted the server and bingo, the cert chain is clean, and after a reboot the old legacy WYSE clients started working again.

View solution in original post

Reply
5 Replies
Shreyskar
VMware Employee
VMware Employee
‎06-01-2020 04:36 PM
Jump to solution

Hi BarryUWSEFS

VMware Knowledge Base  describes detailed steps of creating a certificate signing request > Submitting it to a CA and then how to import the certificate on connection server. Once you follow it carefully, you will be able to replace connection server cert easily.

Once you import the new cert in connection server, rename the old cert friendly name to 'VDM_OLD' or something else. Only one active cert can have 'VDM' friendly name at a time under cert store on all connection servers.

Reply
0 Kudos
BarryUWSEFS
Enthusiast
Enthusiast
‎06-01-2020 04:45 PM
Jump to solution

Hi Shreyskar,

The certificate that is issued to the connection server is fine, it is the legacy root and/or intermediate certificates that need to be removed from the chain. I am not sure if I can just delete them or if something more needs to be done.

Thanks

Reply
0 Kudos
Shreyskar
VMware Employee
VMware Employee
‎06-01-2020 04:53 PM
Jump to solution

I am afraid if this will work with connection server. The easiest way is to request a new certificate instead of removing intermediate certs from an existing one.

Reply
BarryUWSEFS
Enthusiast
Enthusiast
‎06-01-2020 05:44 PM
Jump to solution

Yes that would be okay, it expires in a few months anyway. I that case I imagine I can just remove these old legacy certs first. I am also not sure about how many of the other certs in the store are needed.

Reply
0 Kudos
BarryUWSEFS
Enthusiast
Enthusiast
‎06-02-2020 08:52 AM
Jump to solution

I ended up downloading an intermediate certificate bundle from our cert provider, both InCommon RSA Server CA, and USERTrust RSA Certification Authority, and imported those in to the intermediate certificate store. I deleted the two expired certificates. Restarted the server and bingo, the cert chain is clean, and after a reboot the old legacy WYSE clients started working again.

Reply