View 4.6 and certificate import

bmroczek · ‎05-09-2011

I am attempting to import a certificate into VMware View on the security server.

I've attempted to use both a .crt and a .p7b. The .crt was exported a a .p7b since Register.com doesn't include it in a Tomcat certificate purchase. Any assistance would be greatly appreciated.

Commands and error messages:

C:\Program Files\VMware\VMware View\Server\jre\bin>keytool -import -keystore dem
o.p12 -storetype pkcs12 -alias tomcat -storepass xxxxxxx -keyalg "RSA" -trustca
certs -file c:\certs\certificate.crt

Owner: CN=sub.domain.com, OU=PositiveSSL, OU=Hosted by Register.com, OU=Domain
Control Validated
Issuer: CN=Register.com CA SSL Services (DV), O=Register.com, C=US
Serial number: xxxxxxxxxxxxxxxxx
Valid from: Thu May 05 18:00:00 MDT 2011 until: Sat May 05 17:59:59 MDT 2012
Certificate fingerprints:
         MD5: xxxxxxxxxxx
         SHA1: xxxxxxxxxxx
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 80 CA 54 40 A1 34 B1 EE 54 7F D9 86 58 0B F6 1B ..T@.4..T...X...
0010: A9 DF 32 2A ..2*
]
]

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://crt.register.com/RegistercomSSLServicesCADV.c
rt,
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.register.com]
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.register.com/RegistercomSSLServicesCADV.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.24]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 32 68 74 74 70 3A 2F   2F 63 61 2E 72 65 67 69 .2http://c
a.regi
0010: 73 74 65 72 2E 63 6F 6D   2F 72 65 70 6F 73 69 74 ster.com/reposit
0020: 6F 72 79 2F 52 65 67 69   73 74 65 72 5F 43 50 53 ory/Register_CPS
0030: 2E 70 64 66                                        .pdf

]] ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 96 36 9B F8 D6 E5 B3 68 4A 70 7A 7A 72 8D D3 6E .6.....hJpzzr..n
0010: 2C 0B B9 31 ,..1
]

]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: sub.domain.com
DNSName: www.sub.domain.com
]

Trust this certificate? [no]: yes
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

C:\Program Files\VMware\VMware View\Server\jre\bin>keytool -import -keystore dem
o.p12 -storetype pkcs12 -alias tomcat -storepass xxxxxxx -keyalg "RSA" -trustca
certs -file c:\certs\demo.p7b

keytool error: java.lang.Exception: Input not an X.509 certificate

C:\Program Files\VMware\VMware View\Server\jre\bin>

mittim12 · ‎05-09-2011

Have you been able to import the certificate into any of the connection brokers without any issues? I can't offer a lot of troubleshooting advice on this but I can say that I followed the admin guide directions and had no issues at all.

eeg3 · ‎05-09-2011

To add onto the above, I followed this guide by Clearpath and it worked well.

Blog: http://blog.eeg3.net

bmroczek · ‎05-09-2011

Thank you all for your contributions. I will give the last link a try and see what results come of it.

abbasi · ‎05-10-2011

I found a much easier method

Before you start. Convert your server cert into .p12 format. (there are lots of guides on the internet on converting so I won't cover that, but you can use a browser to do it)

1. Copy server.p12 to %Install Directory%\Program Files\Vmware\Vmware View\Server\sslgateway\conf
2. In %Install Directory%\Program Files\Vmware\Vmware View\Server\sslgateway\conf create a file called locked.properties Edit this file with the following lines
keyfile=server.p12 (name of your p12)
Keypass=password (your password)
(or just copy this file from another server that you already set up)
3. Run %Install Directory%\Program Files\Vmware\Vmware View\Server\jre\bin\javacpl.exe This opens a GUI appluication
4. Select Security|Certificates
5 Select User tab, Select Import
6. Browse to the server.p12 file that you copied above
7. Enter the password
8. Restart the View Connection Server Service

thels · ‎05-10-2011

abbasi wrote:
I found a much easier method
Before you start. Convert your server cert into .p12 format. (there are lots of guides on the internet on converting so I won't cover that, but you can use a browser to do it)
1. Copy server.p12 to %Install Directory%\Program Files\Vmware\Vmware View\Server\sslgateway\conf
2. In %Install Directory%\Program Files\Vmware\Vmware View\Server\sslgateway\conf create a file called locked.properties Edit this file with the following lines
keyfile=server.p12 (name of your p12)
Keypass=password (your password)
(or just copy this file from another server that you already set up)
3. Run %Install Directory%\Program Files\Vmware\Vmware View\Server\jre\bin\javacpl.exe This opens a GUI appluication
4. Select Security|Certificates
5 Select User tab, Select Import
6. Browse to the server.p12 file that you copied above
7. Enter the password
8. Restart the View Connection Server Service

This is the exact method I used as well with my wildcard cert and it was so simple and easy that at first I thought there was no way it can work. Too simple compared to the vmware SSL import docs. But its does work. Go this route if you can.

bmroczek · ‎05-10-2011

There must be an information vacuum between my ears today. For the life of me I can't get the CRT to convert to a P12. I'm using this site to attempt the conversion: https://www.sslshopper.com/ssl-converter.html As soon as I can get this converted I will give you method a try. It does seem TOO simple, but then again if it works it's golden.

jbrungar · ‎08-25-2011

I was able to successfully export my wildcard .pfx certificate and convert it to a .p12. I was also able to successfully import it into Java and created the locked.properties file accordingly. However I am not having any luck. VMware View still works, but is NOT using the new wildcard cert. Does anyone have any ideas?

Thanks,

SDO1 · ‎08-26-2011

why is it everyone want to convert to p12 ? just use your keystore you already have and point to that (whatever.pfx) in your locked.properties file ..

jbrungar · ‎08-26-2011

I have manually added the certificate (pfx) to Java per the instructions above and am no longer using the .p12 format.

My locked.properties file looks as follows:

Keyfile=starcertificate.pfx (which is located in the correct directory)
Keypass=mypass

storetype=pkcs12

I still get the same error message as always. Has anyone got this to successfully work? Please note that I am using a *.mydomain.com certificate.

Thanks,

SDO1 · ‎08-26-2011

pfx isnt storetyp pkcs12 .. just need keyfile/keypass

jbrungar · ‎08-26-2011

I placed the .pfx certificate in Java on both the Connection Server and Session Server (in DMZ) and made changes to the locked.properties file as requested. It's still using the self signed certificate provided by VMware during the install. I tested internally and externally. I have restarted the View Connection Server service and Secure Gateway service on the Connection Server and the Secure Gateway service on the Session Server and still no dice. Is there any other suggestions you have or something I am overlooking?

Thanks,

SDO1 · ‎08-26-2011

Hi,

the pfx + locked file should be in : C:\ProgramFiles\VMwareViewManager\Server\sslgateway\conf directory

(dont have a server nearby .. so path is as i best recollect it ...)

KBBAdmin · ‎03-02-2013

I ran through this guide with no issues exporting my wildcard, and using mozilla to convert from pfx to .p12, I was able to import into javacpl just fine, and created a two line locked.properties file-

"C:\Program Files\VMware\VMware View\Server\sslgateway\conf\locked.properties"

keyfile=wildcard.p12

Keypass=password

But after restarting my connection service, I get refused connections, until i remove/rename the locked.properties file, and restart the service. Anyone run into this?

Thanks,

jon

All

View 4.6 and certificate import