Scenarios for Setting Up SSL Certificates
Table Of Contents
- Scenarios for Setting Up SSL Certificates for View
- Contents
- Scenarios for Setting Up SSL Connections to View
- Obtaining SSL Certificates from a Certificate Authority
- Off-loading SSL Connections to Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Download an SSL Certificate from the Intermediate Server
- Download a Private Key from the Intermediate Server
- Convert a Certificate File to PKCS#12 Format
- Import a Signed Server Certificate into a Windows Certificate Store
- Modify the Certificate Friendly Name
- Import the Root and Intermediate Certificates into the Windows Certificate Store
- Set View Server External URLs to Point Clients to SSL Off-loading Servers
- Allow HTTP Connections From Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Index
Obtaining SSL Certificates from a
Certificate Authority 1
VMware strongly recommends that you configure SSL certificates that are signed by a valid Certificate
Authority (CA) for use by View Connection Server instances, security servers, and View Composer
instances.
Default SSL certificates are generated when you install View Connection Server, security server, or View
Composer instances. Although you can use the default, self-signed certificates for testing purposes, replace
them as soon as possible. The default certificates are not signed by a CA. Use of certificates that are not
signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.
In a View environment, you should also replace the default certificate that is installed with vCenter Server
with a certificate that is signed by a CA. You can use openssl to perform this task for vCenter Server. For
details, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at
http://www.vmware.com/resources/techresources/.
This chapter includes the following topics:
n
“Determining If This Scenario Applies to You,” on page 7
n
“Selecting the Correct Certificate Type,” on page 8
n
“Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq,” on
page 9
Determining If This Scenario Applies to You
In View 5.1 and later, you configure certificates for View by importing the certificates into the Windows
local computer certificate store on the View server host.
Before you can import a certificate, you must generate a Certificate Signing Request (CSR) and obtain a
valid, signed certificate from a CA. If the CSR is not generated according to the example procedure
described in this scenario, the resulting certificate and its private key must be available in a PKCS#12
(formerly called PFX) format file.
There are many ways to obtain SSL certificates from a CA. This scenario shows how to use the Microsoft
certreq utility to generate a CSR and make a certificate available to a View server. You can use another
method if you are familiar with the required tools, and they are installed on your server.
Use this scenario to solve the following problems:
n
You do not have SSL certificates that are signed by a CA, and you do not know how to obtain them
n
You have valid, signed SSL certificates, but they are not in PKCS#12 (PFX) format
VMware, Inc.
7