Scenarios for Setting Up SSL Certificates
Table Of Contents
- Scenarios for Setting Up SSL Certificates for View
- Contents
- Scenarios for Setting Up SSL Connections to View
- Obtaining SSL Certificates from a Certificate Authority
- Off-loading SSL Connections to Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Download an SSL Certificate from the Intermediate Server
- Download a Private Key from the Intermediate Server
- Convert a Certificate File to PKCS#12 Format
- Import a Signed Server Certificate into a Windows Certificate Store
- Modify the Certificate Friendly Name
- Import the Root and Intermediate Certificates into the Windows Certificate Store
- Set View Server External URLs to Point Clients to SSL Off-loading Servers
- Allow HTTP Connections From Intermediate Servers
- Import SSL Off-loading Servers' Certificates to View Servers
- Index
If your organization provides you with SSL certificates that are signed by a CA, you can use these
certificates. Your organization can use a valid internal CA or a third-party, commercial CA. If your
certificates are not in PKCS#12 format, you must convert them. See “Convert a Certificate File to PKCS#12
Format,” on page 18.
When you have a signed certificate in the proper format, you can import it into the Windows certificate
store and configure a View server to use it. See “Set Up an Imported Certificate for a View Server,” on
page 13.
Selecting the Correct Certificate Type
You can use various types of SSL certificates with View. Selecting the correct certificate type for your
deployment is critical. Different certificate types vary in cost, depending on the number of servers on which
they can be used.
Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your
certificates, no matter which type you select. Do not use a simple server name or IP address, even for
communications within your internal domain.
Single Server Name Certificate
You can generate a certificate with a subject name for a specific server. For example: dept.company.com.
This type of certificate is useful if, for example, only one View Connection Server instance needs a certificate.
When you submit a certificate signing request to a CA, you provide the server name that will be associated
with the certificate. Be sure that the View server can resolve the server name you provide so that it matches
the name associated with the certificate.
Subject Alternative Names
A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued.
You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one
server.
For example, a certificate might be issued for a server with the host name dept.company.com. You intend the
certificate to be used by external users connecting to View through a security server. Before the certificate is
issued, you can add the SAN dept-int.company.com to the certificate to allow the certificate to be used on
View Connection Server instances or security servers behind a load balancer when tunneling is enabled.
Wildcard Certificate
A wildcard certificate is generated so that it can be used for multiple services. For example: *.company.com.
A wildcard is useful if many servers need a certificate. If other applications in your environment in addition
to View need SSL certificates, you can use a wildcard certificate for those servers, too. However, if you use a
wildcard certificate that is shared with other services, the security of the VMware Horizon product also
depends on the security of those other services.
NOTE You can use a wildcard certificate only on a single level of domain. For example, a wildcard
certificate with the subject name *.company.com can be used for the subdomain dept.company.com but not
dept.it.company.com.
Scenarios for Setting Up SSL Certificates for View
8 VMware, Inc.