Replacing the Self-Signed Certificate in VMware App Volumes 2.12
It is becoming increasingly common for IT to implement SSL certificates for secure communications among application components. Using certificates provides a number of benefits, including privacy and secure authentication, for a relatively small investment.
Self-signed certificates allow applications to be deployed quickly, but are intended for lab, proof-of-concept, or nonproduction implementations. For production implementations, you should use certificates signed by a Certificate Authority (CA), whether private (such as an on-premises Microsoft CA), or from a trusted public CA.
The latest release of VMware App Volumes includes several new features and enhancements. This blog post focuses on a new capability that encrypts and secures communication between App Volumes Manager and App Volumes Agent.
When you install the App Volumes Manager (referred to as Manager here), a self-signed certificate is applied. When you launch the Web-based Manager console, a security warning appears indicating that the SSL certificate is not from a trusted source.
|Example certificate warning.|
This blog post walks you through the process of replacing the Manager self-signed certificate with a Microsoft CA-signed certificate. After you read through this blog post, if you would like to see the process, watch the video Replacing the App Volumes 2.12 Default Self-Signed SSL Certificate:
Note: A variety of certificate authorities, attributes, and options for generating certificates exist. This blog post gives only one example. VMware recommends following your organization’s standards for certificates.
Overview of the Certificate Replacement Process
Steps 1 and 2 in the following list generate a certificate using a Microsoft CA. If your organization uses a different Certificate Authority for this process, Steps 1 and 2 may differ in how you obtain your certificate. Steps 3 through 6 are still applicable but may vary slightly depending on the type of certificate your CA provides.
- Generate a Certificate Signing Request (CSR) for the App Volumes Manager server.
- Submit the CSR to a Certificate Authority for certificate generation. A Microsoft CA is used for the purposes of this blog post, though the process is similar when submitting a CSR to other CAs.
- Import the SSL certificate to the App Volumes Manager server.
- Export the certificate and private key to a PFX file.
- Extract the certificate and private key from the PFX file, and convert the private key to PEM format.
- Configure NGINX to use the certificate and PEM-formatted key file.
Step 1: Generate a Certificate Signing Request
A CSR defines parameters for the certificate you are requesting, and can be submitted to a variety of CAs for certificate generation. Read VMware knowledge base article Generating a Horizon View SSL certificate request using the Microsoft Management Console (MMC) Certificates snap-in (2068666), which shows the steps in the process.
Note: The App Volumes Manager server inherently trusts the Root Domain CA in this environment. The Root Domain CA directly issues the certificate in this example. In some cases, you may need to import intermediate certificates in the certificate chain. Microsoft has a good primer on the Hierarchy of Trust about this topic.
|From the Manager server, open Microsoft MMC.
From the File menu, select Add/Remove Snap-in.
|Select the Certificates snap-in, and click Add.
|Select Computer account and click Next.
|Select Local computer and click Finish.
|From the Manager server, browse to and select Certificates.
From the Certificates folder, right-click Personal.
Select All Tasks > Advanced Operations > Create Custom Request.
|Select Proceed without enrollment policy.
|For Template, click the down-arrow, and select (No template) Legacy key.
For Request format, select PKCS #10.
|Expand Details, then click Properties.
|Enter a Friendly name, then click the Subject tab.|
|In the Subject tab, under Subject name, is the field Type. Under Type is Full DN. Click Full DN.
|Enter the values in the following fields under Subject name, clicking Add after each value entry:
|Next, click the Private Key tab.
Click Key options and complete the following fields:
Key size: 2048
Select Make private key exportable and click OK.
|From the Certificate Enrollment window, click Next.
For File Name, browse to the location where you will save the request file, and enter a file name. Click Save.
For File format, select Base 64, and click Finish.
Step 2: Submit Certificate Request to a Microsoft CA
|From the Manager server, open a Web browser and navigate to http://<CA>/CertSrv.
Click Request a certificate.
|Click advanced certificate request.
|Click Submit a certificate request by using a base-64-encoded….
|Leave open the Submit a Certificate Request or Renewal Request window.
Use Notepad to open the CSR you saved in Step 1.
|Copy all of the text, including the header and footer.
Be careful not to copy any extra spaces or leave out any characters during this process.
|Paste this data into the Saved Request field on the Submit a Certificate Request or Renewal Request window.
Change the Certificate Template to Web Server.
|Select to download the certificate in Base 64 encodedformat.
The P7B file will not be used in this exercise and is optional. You need only the CER file to continue because domain computers inherently trust the Root Domain CA.
Step 3: Import New Certificate to Manager Server
|From the Manager server, open Microsoft MMC.
Browse to Certificates.
Right-click Personal, and select All Tasks > Import.
|The Welcome to the Certificate Import Wizard appears. Select Local Machine and click Next.
|Browse to the CER file you downloaded in Step 2 and click Open.
|Follow the prompts to import the certificate. Click Finish. The import was successfulmessage appears.
Step 4: Export the Certificate and Private Key
|Navigate to Personal > Certificates.
In the right pane, right-click the imported certificate and select All Tasks > Export.
|Follow the prompts to export the private key.|
|Select Include all certificates….
Also, select Export all extended properties.
|Create a password to secure the exported private key.
Note: You will need this password in Step 5, when prompted for the “Import Password.”
|Export the key.|
Step 5: Extract the Certificate and Private Key from the PFX
While some CAs provide separate CRT and KEY files, the Microsoft CA produces a PFX file. In this example, a third-party tool called OpenSSL is used to extract the necessary files.
|Launch OpenSSL with admin rights.
Run the command:
pkcs12 –in <file>.pfx –nocerts –out <keyfile>.key
Enter the Import Password. You created the Import Password in Step 4 when you exported the private key.
Next, create a PEM pass phrase and re-enter it to verify it. You will not see this pass phrase echoed in the window.
Note: The PEM pass phrase is a password created during this process. Be sure to make note of this, as it will be needed later.
|This command converts the private key (created in Step 4) to PEM format as required by App Volumes.
Run the command:
rsa –in <keyfile.key> -outform PEM –out <keyfile>PEM.key
When prompted, enter the (PEM) pass phrase that you just made note of.
|Now, you will extract the certificate.
Run the command:
pkcs12 –in <file>.pfx –clcerts –nokeys –out <certificate>.crt
Enter the Import Password.
|The following files should now be available.|
Step 6: Edit the App Volumes Manager nginx.conf File
Now that you have the necessary CRT and KEY files, you must configure App Volumes to use them rather than the self-signed certificate files used by default.
|From the Manager server, under Services (Local), right-click App Volumes Manager, and select Stop.
|Make a backup copy of the nginx.conf file.
|Open the nginx.conf file with Notepad.
Locate the two lines referencing the self-signed certificate and private key.
|Modify the lines to reflect the new CRT and KEY files you extracted from the PFX file.
Be sure to include the entire path for each file.
Important: Be sure to include the trailing semi-colon.
|Start the App Volumes Manager service.
The App Volumes Manager console should now open without the certificate warning.
Important: The App Volumes Manager shortcut, which is automatically placed on the desktop of the Manager server, opens your default browser to https://localhost/. Because “localhost” was not used for the CNattribute when you created the new certificate, this shortcut still displays a certificate warning. This is expected.
Likewise, if you browse to https://<Manager_IPaddress>/, you also get a certificate warning.
Instead, use https://<Manager_FQDN>/ for the App Volumes Manager. When you created the new certificate, the CN attribute contained the FQDN of the Manager server. Using this URL ensures that you will not get a certificate warning.
App Volumes 2.12 does not support using the IP Address attribute in the certificate Subject Alternative Name. Be sure to use the FQDN of the Manager server as the CN, and be sure to use the FQDN when installing the App Volumes Agent software.