Published on

VMware Certificates

Authors
  • Name
    Jackson Chen

UAG Certificates

  1. Create VMware UAG certificate template in Issuing CA
  2. Create uag certificate request configuration file
# File Name:    uag.cfg
# Note:
# subjectAltName include 
# 1. all internal VMware Horizon Connection servers fqdn, and netBIOS name
# 2. F5 load balaning VIP name for the internal Horizon Connection servers
# 3. UAG external access URL fqdn and IP address
#

[ req ]
default_bits        = 2048
default_keyfile     = uag.key
distinguished_name  = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:access.test.lab,DNS:access,DNS:horizon1.test.lab,DNS:horizon1,DNS:internal-f5-horizon.test.lab,internal-f5-horizon,1.2.3.4

[ req_distinguished_name ]
countryName         = AU
stateOrProvinceName     = ACT
localityName            = Canberra
0.organizationName      = Test Lab
organizationalUnitName      = VMware
commonName          = access.test.lab
emailAddress            = admin@test.lab
  1. Download OpenSSL-64Win https://www.openssl.org/source/
  1. Generate the SSL request file and key file
#
# The uag.key file is already BASE64 format
# It has syntax
#
#       ---- BEGIN PRIVATE KEY ----
#       ---- END PRIVATE KEY -----
# 
openssl req -new -config uag.cfg -keyout uag.key -out uag.csr
  1. Sign the certificate When signing the csr from Windows issuing CA, run the command
certreq -submit -attrib "CertificateTemplate:VmwareCertificateTemplateName" uag.csr uag.cer
  1. Create UAG certificate chain PEM file
# 
# Obtain Root CA and Issuing CA .cer file
# To combine all the certificates into one single PEM file
#
# Option 1 - Only include UAG, Issuing CA, and Root CA certificate
#
# Order of certificates
#         ------- BEGIN CERTIFICATE ------
#               <Server SSL certificate>
#         ------- END CERTIFICATE ------
#         ------- BEGIN CERTIFICATE ------
#               <Issuing CA SSL certificate>
#         ------- END CERTIFICATE ------
#         ------- BEGIN CERTIFICATE ------
#               <Root CA SSL certificate>
#         ------- END CERTIFICATE ------
# 

# Windows equivalent to Linux "cat" is "type"
# Run the command in Command Prompt or PowerShell
type rootca.cer issuingca.cer uag.cer >  uag_full.pem


# 
# Option 2 - Also include private key file
# 
# Windows "type" is equvalent to Linux "cat" to concatenate files to one single file
# 
# type uag.key rootca.cer issuingca.cer uag.cer >  uag_key_full.pem
  1. Create private key rsa PEM file When install UAG using ovftool PowerShell script, the input file requires privatekeyrsa.pem file. Need to generate rsa format key PEM file
openssl rsa -in uag.key -text > privatekey.pem
  1. Update UAG ovftool Powershell input file
#
# xxx.ini file PEM section
# 

# pemCerts refers to a PEM format file containing the SSL server certificate to be deployed. 
# The file should also contain an required intermediate CA and root CA certificates.
# Note: Do NOT include private key
pemCerts=D:\script\UAG2009\uage_full.pem

# pemPrivKey refers to a file containing the RSA PRIVATE KEY for the SSL server certificate in the above certificate file.
pemPrivKey=D:\script\UAG2009\uagrsakey.pem
  1. Import the root CA, issuing CA and UAG certificate to external F5 load balancers

The internal Horizon Connection Servers are load balancing by the internal F5 appliances, we could use the same UAG certificate, or generate a new Horizon Connection Server certificate that exclude the external UAG DNS entries.

vROPS Certificates

  1. Certitifcate request file
#
# File name:  vrops.cfg
# 

[ req ]
default_bits        = 2048
default_keyfile     = vrops.key
distinguished_name  = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrops1,DNS:vrop2,DNS:vrops1.test.lab,DNS:vrop2.test.lab

[ req_distinguished_name ]
countryName         = AU
stateOrProvinceName     = ACT
localityName            = Canberra
0.organizationName      = Test Lab
organizationalUnitName      = VMware
commonName          = VROPS.test.lab
emailAddress            = admin@test.lab
  1. Generate certificate request csr file
openssl req -new -config vrops.cfg -keyout vrops.key -out vrops.csr
  1. Sign the certificate When signing the csr from Windows issuing CA, run the command
certreq -submit -attrib "CertificateTemplate:VmwareCertificateTemplateName" vrops.csr vrops.cer

Horizon Conenction Server Certiticates

AppVolume Certitificate

Discuss on TwitterView on GitHub