Scenarios for Setting Up SSL Certificates
Table Of Contents
- Scenarios for Setting Up SSL Certificates for View
- Contents
- Scenarios for Setting Up SSL Connections to View
- Obtaining SSL Certificates from a Certificate Authority
- Off-loading SSL Connections to Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Download an SSL Certificate from the Intermediate Server
- Download a Private Key from the Intermediate Server
- Convert a Certificate File to PKCS#12 Format
- Import a Signed Server Certificate into a Windows Certificate Store
- Modify the Certificate Friendly Name
- Import the Root and Intermediate Certificates into the Windows Certificate Store
- Set View Server External URLs to Point Clients to SSL Off-loading Servers
- Allow HTTP Connections From Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Index
Convert a Certificate File to PKCS#12 Format
If you obtained a certificate and its private key in PEM or another format, you must convert it to PKCS#12
(PFX) format before you can import the certificate into a Windows certificate store on a View server.
PKCS#12 (PFX) format is required if you use the Certificate Import wizard in the Windows certificate store.
You might obtain certificate files in one of these ways:
n
You obtain a certificate keystore file from a CA.
n
You download a certificate and its private key from an intermediate server that is set up in your View
deployment.
n
Your organization provides you with certificate files.
Certificate files come in various formats. For example, PEM format is often used in a Linux environment.
Your files might have a certificate file, key file, and CSR file with the following extensions:
server.crt
server.csr
server.key
The CRT file contains the SSL certificate that was returned by the CA. The CSR file is the original certificate
signing request file and is not needed. The KEY file contains the private key.
Prerequisites
n
Verify that OpenSSL is installed on the system. You can download openssl from
http://www.openssl.org.
n
Verify that the root certificate of the SSL certificate that was returned by the CA is also available on the
system.
Procedure
1 Copy the CRT and KEY files to the OpenSSL installation directory.
For example: cd c:\OpenSSL-Win32\bin
2 Open a Windows command prompt and, if necessary, navigate to the OpenSSL installation directory.
3 Generate a PKCS#12 (PFX) keystore file from the certificate file and your private key.
For example: openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile
CACert.crt
In this example, CACert.crt is the name of the root certificate that was returned by the certificate
authority.
The Windows certificate store also accepts a keystore that is generated with a PFX extension. For
example: -out server.pfx
4 Type an export password to protect the PKCS#12 (PFX) file.
Import a Signed Server Certificate into a Windows Certificate Store
You must import the SSL server certificate into the Windows local computer certificate store on the
Windows Server host on which the View Connection Server instance or security server service is installed.
This scenario uses a certificate file in PKCS#12 (PFX) format.
Depending on your certificate file format, the entire certificate chain that is contained in the keystore file
might be imported into the Windows local computer certificate store. For example, the server certificate,
intermediate certificate, and root certificate might be imported.
Scenarios for Setting Up SSL Certificates for View
18 VMware, Inc.