What the Cert, Signing and Securing Horizon Connection Server

So who likes certs, what no hands? Well I am not surprised but these are essential to keep us safe. This will be series of posts based on the Horizon 7.X stack. I will plan on taking you through the cert request (CSR) to deployment on the Horizon Connection servers through to UAG and App Volumes etc.

I won’t try and explain how certs work as there are many blogs on this topic, but check this blog if you need a refresher. SSL Certificates Explained

Tools

First lets start with the tools I have been using for a number of years, OpenSSL and Notepad++. Download and install these, then create a folder structure based on this for an example below. In this example mine is C:\Certs but I normally have it on my OneDrive.

FYI Credit goes to Fred M for this idea

FYI Credit goes to Fred M for this idea

Topology

Being a visual person I put together this Visio to help visualize the areas that this certificate is going to protect.

2020-07-23_15-54-46.png

So, first part is the request. A few things to think about, is this for a single device or multiple? Multiple domains etc. To keep it simple enough I will do do a request for the Common Name (vdi.demo.org) and SAN’s for UAG’s, Connection Server’s, AppVolume etc.

Create a file in the CSR folder and call it “horizon_csr.cfg” and paste the following and edit to reflect your naming and save.

[ req ]
default_bits = 2048
default_keyfile = solution_name.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vdi.demo.org, DNS:uag.demo.org, DNS:uag01.demo.org, DNS:uag02.demo.org, DNS:cs01.demo.org, DNS:cs02.demo.org, DNS:avm.demo.org, DNS:avm01.demo.org, DNS:avm02.demo.org, DNS:workspace.demo.org
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NH
localityName = Salem
0.organizationName = Lab
organizationalUnitName = Eng
commonName = vdi.demo.org

Now open a command prompt and change directory to the OpenSSL\bin folder. The command below creates the CSR and outputs the certs to the CSR folder.

openssl req -new -nodes -out c:\certs\csr\csr.csr -keyout c:\certs\csr\csr-orig.key -config c:\certs\csr\horizon_csr.cfg

Next convert the Key into the RSA format.

openssl rsa -in c:\certs\csr\csr-orig.key -out c:\certs\csr\rsa.key
2020-07-17_17-10-01.jpg

In the CSR folder you will see horizon_csr.cfg, csr.csr, csr-orig.key and rsa.key

Signing of the Certificate

Now that we have generated the request we need to get it signed by a Certificate Authority(CA). For this example I am going to do the process using a Windows Certificate Server. First lets open the CSR and make sure its got the information we require. Open the csr.csr file with Notepad++ and the content of the file should look like the following. Make sure there is no spaces after the last character and CTRL+A and copy.

Make sure there is no space after the last character

Make sure there is no space after the last character

Open a browser to https://decoder.link/ and paste the content in. This will show you the information you entered into the horizon_csr.cfg. Again it should look like this.

Notice the SAN’s, if anything is incorrect got back and make the changes and re-key the CSR

Notice the SAN’s, if anything is incorrect got back and make the changes and re-key the CSR

Head to the CA server of choice after the CSR has been validated. I am using a Microsoft Certificate Server.

Open a browser and goto http://FQDN/certsrv and login

  • Select Request a Certificate

    • Select Advance certificate request

    • Select Submit a certificate request by using a base-64-encoded…….

    • In the Windows paste the content of the csr.csr and change the Certificate Template to Web Server and click Submit

2020-07-20_13-56-33.jpg

Select Base 64 encoded and then select Download certificate chain

2020-07-20_13-58-49.jpg

Save the certnew.p7b and then open, I see 2 files,

  1. The Certificates I requested

  2. Root CA cert, maybe an Intermediate CA (If you have one)

Next Select the vdi.demo.org cert Right click > All Tasks > Export

2020-07-20_14-06-29.jpg

Next > Select Base-64 > Next

2020-07-20_14-11-08.jpg

Save the Certificates to “C:\Certs\CSR\vdi.demo.org.cer”

2020-07-24_14-48-49.png

Select Finish to Complete the Export

Now do the same task and export the CA cert from the certnew.p7b and name it root64.cer

Copy the Exported certs to the following location C:\Certs

Now we need to prep the cert for the Connection Server, we need to Make the private key exportable.

Run the following command to make the Cert in OpenSSL

openssl pkcs12 -export -in C:\Certs\vdi.demo.org.cer -inkey C:\Certs\csr\rsa.key -certfile C:\Certs\root64.cer -passout pass:VMware1! -out C:\Certs\hzcs\hzcs.pfx

Once the Cert is created you will notice the Key in the Certificates icon indicating the key has been marked as exportable.

2020-08-07_11-07-05.png

Import Certificate to the Connection Server

  1. In the MMC window on the Connection Server host, expand the Certificates (Local Computer) node and select the Personal folder.

  2. In the Actions pane, go to More Actions > All Tasks > Import.

  3. In the Certificate Import wizard, click Next and browse to the location where the certificate is stored.

  4. Select the certificate file and click Open.To display your certificate file type, you can select its file format from the File name drop-down menu.

  5. Type the password for the private key that is included in the certificate file. (Set in last command above)

  6. Select Mark this key as exportable and Select Include all extended properties.

2020-08-07_11-26-51.png

  1. Click Next and click Finish.The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.

  2. Right-click the self-signed or previous certificate that was issued to the Horizon 7 server host and click Properties

  3. On the General tab, delete the Friendly name text

  4. Right-click the NEW certificate that was imported and select Properties

  5. On the General tab, add vdm to the Friendly name and Click Apply and click OK.

2020-08-07_11-33-01.png

  1. Verify that the new certificate contains a private key.

    1. In the Certificates (Local Computer) > Personal > Certificates folder, double-click the new certificate.

    2. In the General tab of the Certificate Information dialog box, verify that the following statement appears: You have a private key that corresponds to this certificate.

2020-08-07_11-35-26.png

Restart the VMware Horizon View Connection Server service to take effect

2020-08-07_13-24-29.png

Look for the Padlock to show that the sessions is now trusted and encrypted.

NEXT……UAG’s