Solved: Re: VMware View 6.1 certificate names

MindU_Talor · ‎10-25-2015

Hi everybody !

I'm planning to install vmware view 6.1 with two connection server on the LAN and one security server on the DMZ.

I'm wondering which names do i need on the certificate ?

my connection server names will be VDI1.MyDomain.Local, VDI2.MyDomain.Local

my security server will be VDI3 (not domain joined server)

my a-record on my public DNS is view.MyDomain.com which direct to the security server.

I have Internal CA server that can issue certificate for VDI1.MyDomain.Local and VDI2.MyDomain.Local.

I have a wildcard certificate for *.MyDomain.com (it doesn't contain any of my internal server names)

1. can I use my wildcard certificate to connect to the security server without any error ?

2. where do i install the wildcard cert? on the security server and all the connection server ?

3. what if i want to connect to VDI from internal network do i need to install my internal CA certificate with the internal names to my connection servers ?

4. because my connection server will be connected both internally and externally, will it use the internal cert (VDI1/2.MyCompany.local) for internal connection and the external cert (*.MyDomain.com) for external connection ?

Thank you.

Taylor.

Claudiocaf · ‎10-26-2015

I do not recommend to use a wildcard certificate on connection servers.

Instead you can issue one certificate for each connection server: VDI1.MyDomain.Local and VDI2.MyDomain.Local

This way the connection will be trusted when connecting from inside.

From internet you will connect to the security server only, so you only need a trusted certificate installed on the security server.

If you issue a certificate from your CA, it will work but clients connecting from internet will not trust that certificate.

If you want a certificate trusted by everyone connecting from internet, you have to buy a certificate from a certificate authority like verisign etc

In both cases, the certificate should be issued with name: view.MyDomain.com and installed on the security server only.

Hope this helps

Regards,

Claudio

View solution in original post

Claudiocaf · ‎10-26-2015

I do not recommend to use a wildcard certificate on connection servers.

Instead you can issue one certificate for each connection server: VDI1.MyDomain.Local and VDI2.MyDomain.Local

This way the connection will be trusted when connecting from inside.

From internet you will connect to the security server only, so you only need a trusted certificate installed on the security server.

If you issue a certificate from your CA, it will work but clients connecting from internet will not trust that certificate.

If you want a certificate trusted by everyone connecting from internet, you have to buy a certificate from a certificate authority like verisign etc

In both cases, the certificate should be issued with name: view.MyDomain.com and installed on the security server only.

Hope this helps

Regards,

Claudio

MindU_Talor · ‎10-26-2015

Thank you vary much for your quick answer Claudio,

Just to make sure, you are saying that for external users i only need one third party trusted Cert for the security server and that's it ?

My wildcard certificate is from GoDaddy so it is trusted to the outside world, the wildcard is for my external domain *.MyDomain.com, so can I use this certificate for the Security Server ? no need any inernal names (server.MyDomain.local) in that certificate ?

Thanks!

TitoDz · ‎10-26-2015

MindU_Talor,

Your wildcard certificate will work fine in this case. I used a wildcard cert myself for my Security Servers. There is no need for internal names on the certificate.

Claudiocaf · ‎10-27-2015

Exactly, you are right. Just install the wildcard certificate on the security server and you're done.

There's no need to have any alternative name in the certificate referring to the connection servers.

Cheers

blu60077 · ‎10-27-2015

I think I am in the same sort of situation, but still confused as all <insert favorite expletive>

My view environment consist of three virtual servers.

1 connection server
1 security server
1 composer server

Connection Server
fqdn in windows AD is:
View-Conn.domain.local
10.10.144.47

internal DNS resolves…

View-Conn.domain.local

to

View.domain.local

So using the URL

https://view.domain.local

internal users are able to log in and get a desktop securely and I can administer securely is I using the url

https://view.domain.local/admin

To make all of this secure, what I did was…

On this connection server I have installed under “Private” a secured certificate under the name of

View.domain.local

Now, I am not a certificate expert and I hate dealing with these… but the certificate I got from Go Daddy… it allows me to also create “5 SAN” names…

again, IDK, so what I did was.. tied to this same certificate I created 4 more additional SANs:

So, I am not sure if I did it right but now when I log into the administrator console

So, my first question is this...

Did I do everything correct up to this point?

Because I am receiving errors when attempting to log in via WYSE terminal...

when I attempt to connect to my connection server via a WYSE terminal

when I supply

view.domain.local or ServerName.domain.local as the connection server name...

I still receive a certificate error...

even though the cert details contain correct information. including SAN names

What am i missing? any thoughts?

TitoDz · ‎10-28-2015

It is possible your WYSE terminal may not trust the Go Daddy CA. Access the WYSE client via the Web UI and update it to trust the Go Daddy CA cert. You can also accomplish this with the PCoIP Management Console.

All

VMware View 6.1 certificate names