As many noticed, it’s not that easy to satisfy View 5.1, specially when it comes around to the Security Server. There are plenty of blogs, which explain how it’s done for the View Connection Server or any server which has joined an Active Directory domain. This is also covered in the View 5.1 Installation Guide.
Hence this blog entry is concentrating specifically on the View Security Server, which is usually NOT joined to an Active Directory and hence there are no Certificate Enrollment Policies, which do the magic for us and configure everything correctly for our certificate request. Here is the cookbook for a custom certificate request on a standalone Windows 2008 R2 server.
For those who can’t be bothered with circumstancial step-by-step screenshots here’s a summary of the most important points, which I did wrong the first few attempts:
- * Use “Legacy Key” when selecting the certificate request template
- * Add the common name (FQDN) to the Subject Alternate Name (DNS field)
- * Mark the private key as exportable (this I actually got from the installation guide and is mentioned far and wide, but I repeat it here, because it gets missed many times)
- * For those who still have troubles, the CRL URL is probably not working and CRL checking needs to be disabled
But now, for everyone else, the deep dive:
First open the Certificate Management Snap-in, so go to “Run…” type “mmc.exe” and then add the “Certificates” snap-in, point it to the local Computer account. This is the easy part.
Browse to Personal -> Certificates, right-click in the right hand space and choose All Tasks -> Advanced Operations -> Create Custom Request…
That’s it! Click next and finish the wizard, by saving your request (format doesn’t matter). Feed it to your Certifcation Authority (CA) of choice, install intermediate and root certificates as needed (if you didn’t already) and (re)start your View services.
When you browse to the FQDN of your View Security Server, you should see that IE does not complain about the certificate anymore.
As I mentioned at the beginning, there will be certainly trouble accessing the Certificate Revocation List (CRL) if the certificate is issued in a AD CA, specially by a View Security Server, which resides normally in the DMZ, so you might have to disable CRL checking as per VMware KB article.