VMware Workspace ONE Community
WorkAnywhere
Contributor
Contributor
‎10-21-2021 02:30 AM

WorkspaceONE ACCESS - CA certificate store (aka viDM Identity Manager)

Greetings all,

We would like to remove a CA trusted certificate from the CA certstore of our vIDM. (WS1 Access 20.10)

We have found that the keystore is located in : /usr/local/horizon/conf/idm-cacerts and the password is empty. (no password needed to open it)

When we modify the keystore by removing the expired/revoked CA certificate, we then restart the horizon-workspace service. We log into the appliance console and under the "Install SSL Certificates" the GUI menu is broken and the options to upload a new web custom certificate is not displayed.  Is there any other action that we miss in order to properly delete a CA certificate from the CA store ?

We have noted also that the CA certificates are stored in the form of :  etc/ssl/certs/hznext-rootca-DATE_XXXXX.pem

PS: The TomCat server keystore is located in : /opt/vmware/horizon/workspace/conf/tcserver.keystore and the password of this keystore is stored in the /usr/local/horizon/conf/runtime-config.properties encrypted. Do you think we have to modify also this keystore ? (The password is encrypted so i do not know it in order to open the keystore and check its contents). In the first versions of vIDM, when it was called horizon application manager, the password of this keystore was "changeme". For reference, check this link : https://docplayer.net/20619167-Activating-https-using-wildcard-certificate-in-horizon-application-ma...

Have anyone successfully removed a CA certificate from the vIDM certificate store ?

Any help/idea would be appreciated.

Thank you in advance for your answer.

Regards,

WA

0 Kudos
2 Replies
WorkAnywhere
Contributor
Contributor
‎10-22-2021 02:51 AM

Greetings all again,

We have found a way to delete a certificate from the CA store, by debugging the VMware scripts in the folder : /usr/local/horizon/scripts

When we take a closer look to the script "manageCaCerts.inc" we can find the following function :

uninstall_ca(){
local ALIAS=$1
local FILE_ALIAS=$2
local STOREPASS=$3
local KEYSTORE=$4
local FILE_EXTENSION=$5

# have to delete the old entry if it is already there.
$JRE_KEYTOOL -delete -keystore $KEYSTORE -alias $ALIAS -storepass $STOREPASS > /dev/null 2>&1

# it also needs to be removed from here, this is a public directory of known root ca's
rm -f /etc/ssl/certs/$FILE_ALIAS.$FILE_EXTENSION
c_rehash > /dev/null

return $?
}

This can be translated to the following cli commands :

# keytool -delete -keystore /usr/local/horizon/conf/idm-cacerts -alias "CERTALIAS" -storepass "PASSWORD"

Where:

CERTALIAS : Alias of the certificate to be deleted, ex. hznext-rootca-XXXXXXXX_YYYYYY

PASSWORD is store in the file :  /usr/local/horizon/conf/cakeystore.pass

Then we need to delete the corresponding certificate from the directory of the trusted certs : 

# rm -f /etc/ssl/certs/hznext-rootca-XXXXXXXX_YYYYYY

restart the horizon-workspace service

# service horizon-workspace restart

We have done all this because in a lab environment we are using Let's Encrypt certificates for our public certificate.

After the change of the certificate chain of Let's Encrypt PKI, we had to remove the old expired CA (DST Root CA X3 - Expired on 30/09/2021) from our store and then import the renewed (with the new chain) public certificate to our WS1 Access. 

Reference : https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certifica...

Unfortunately, even after the deletion of the expired CA root certificate and the import of the new Root and Intermediate certificate, WS1 Access, sees our renewed certificate chain as incomplete and does not let us import the public certificate...

PS: We have updated our Appliance to the latest version of 21.08 on which the OpenSSL version is: OpenSSL 1.0.2y-fips 16 Feb 2021

Have anyone have already ran in this problem?

Do you have any idea how to resolve this issue ?

Thank you in advance for your ideas / answers.

Regards,

WA

 

 

 

0 Kudos
JH1801
Contributor
Contributor
‎04-21-2022 10:09 PM

Hey @WorkAnywhere 

All your steps are correct, you're just missing step #4

1. Grab the password at /usr/local/horizon/conf/cakeystore.pass

2. Validate the alias via 

keytool -list -v -keystore /usr/local/horizon/conf/idm-cacerts | grep "hzn" -i

3. Remove the old one via 

keytool -delete -keystore /usr/local/horizon/conf/idm-cacerts -alias <certalias> -storepass <password>

4. Re-run openssl re-hash

c_rehash

5. Console should be working and old one removed.

0 Kudos