VMware Horizon 6.1, Horizon View - 6.1 User Manual
Scenarios for Setting Up SSL Certificates
for View
VMware Horizon 6
Version 6.1
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001723-00
Scenarios for Setting Up SSL Certificates for View
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
Scenarios for Setting Up SSL Connections to View 5
Obtaining SSL Certificates from a Certificate Authority 7
1
Determining If This Scenario Applies to You 7
Selecting the Correct Certificate Type 8
Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq 9
Off-loading SSL Connections to Intermediate Servers 15
2
Import SSL Off-loading Servers' Certificates to View Servers 15
Set View Server External URLs to Point Clients to SSL Off-loading Servers 21
Allow HTTP Connections From Intermediate Servers 22
Index 25
VMware, Inc. 3
Scenarios for Setting Up SSL Certificates for View
4 VMware, Inc.
Scenarios for Setting Up SSL Connections to View
Scenarios for Setting Up SSL Connections to View provides examples of setting up SSL certificates for use by
View servers. The first scenario shows you how to obtain signed SSL certificates from a Certificate Authority
and ensure that the certificates are in a format that can be used by View servers. The second scenario shows
you how to configure View servers to off-load SSL connections to an intermediate server.
Intended Audience
This information is intended for anyone who wants to install View and needs to obtain SSL certificates that
are used by View servers, or for anyone who uses intermediate servers to off-load SSL connections to View.
The information is written for experienced Windows or Linux system administrators who are familiar with
virtual machine technology and datacenter operations.
VMware, Inc.
5
Scenarios for Setting Up SSL Certificates for View
6 VMware, Inc.
Obtaining SSL Certificates from a
Certificate Authority 1
VMware strongly recommends that you configure SSL certificates that are signed by a valid Certificate
Authority (CA) for use by View Connection Server instances, security servers, and View Composer
instances.
Default SSL certificates are generated when you install View Connection Server, security server, or View
Composer instances. Although you can use the default, self-signed certificates for testing purposes, replace
them as soon as possible. The default certificates are not signed by a CA. Use of certificates that are not
signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.
In a View environment, you should also replace the default certificate that is installed with vCenter Server
with a certificate that is signed by a CA. You can use openssl to perform this task for vCenter Server. For
details, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at
http://www.vmware.com/resources/techresources/.
This chapter includes the following topics:
“Determining If This Scenario Applies to You,” on page 7
n
“Selecting the Correct Certificate Type,” on page 8
n
“Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq,” on
n
page 9
Determining If This Scenario Applies to You
In View 5.1 and later, you configure certificates for View by importing the certificates into the Windows
local computer certificate store on the View server host.
Before you can import a certificate, you must generate a Certificate Signing Request (CSR) and obtain a
valid, signed certificate from a CA. If the CSR is not generated according to the example procedure
described in this scenario, the resulting certificate and its private key must be available in a PKCS#12
(formerly called PFX) format file.
There are many ways to obtain SSL certificates from a CA. This scenario shows how to use the Microsoft
certreq utility to generate a CSR and make a certificate available to a View server. You can use another
method if you are familiar with the required tools, and they are installed on your server.
Use this scenario to solve the following problems:
You do not have SSL certificates that are signed by a CA, and you do not know how to obtain them
n
You have valid, signed SSL certificates, but they are not in PKCS#12 (PFX) format
n
VMware, Inc.
7
Scenarios for Setting Up SSL Certificates for View
If your organization provides you with SSL certificates that are signed by a CA, you can use these
certificates. Your organization can use a valid internal CA or a third-party, commercial CA. If your
certificates are not in PKCS#12 format, you must convert them. See “Convert a Certificate File to PKCS#12
Format,” on page 18.
When you have a signed certificate in the proper format, you can import it into the Windows certificate
store and configure a View server to use it. See “Set Up an Imported Certificate for a View Server,” on
page 13.
Selecting the Correct Certificate Type
You can use various types of SSL certificates with View. Selecting the correct certificate type for your
deployment is critical. Different certificate types vary in cost, depending on the number of servers on which
they can be used.
Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your
certificates, no matter which type you select. Do not use a simple server name or IP address, even for
communications within your internal domain.
Single Server Name Certificate
You can generate a certificate with a subject name for a specific server. For example: dept.company.com.
This type of certificate is useful if, for example, only one View Connection Server instance needs a certificate.
When you submit a certificate signing request to a CA, you provide the server name that will be associated
with the certificate. Be sure that the View server can resolve the server name you provide so that it matches
the name associated with the certificate.
Subject Alternative Names
A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued.
You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one
server.
For example, a certificate might be issued for a server with the host name dept.company.com. You intend the
certificate to be used by external users connecting to View through a security server. Before the certificate is
issued, you can add the SAN dept-int.company.com to the certificate to allow the certificate to be used on
View Connection Server instances or security servers behind a load balancer when tunneling is enabled.
Wildcard Certificate
A wildcard certificate is generated so that it can be used for multiple services. For example: *.company.com.
A wildcard is useful if many servers need a certificate. If other applications in your environment in addition
to View need SSL certificates, you can use a wildcard certificate for those servers, too. However, if you use a
wildcard certificate that is shared with other services, the security of the VMware Horizon product also
depends on the security of those other services.
NOTE You can use a wildcard certificate only on a single level of domain. For example, a wildcard
certificate with the subject name *.company.com can be used for the subdomain dept.company.com but not
dept.it.company.com.
8 VMware, Inc.
Loading...