VMware App Volumes 2.xx – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate

Welcome to my VMware App Volumes series. This session will cover the basics around using a domain CA signed certificate on the App Volumes Manager server, instead of the self-signed certificate. This will ensure that the certificate is trusted by all domain joined computers and will be easier to maintain in the future.

Prerequisites for completing these tasks are:

  • Access to the domain’s CA and permissions to create/edit certificate templates
  • Administrative access to the App Volumes Manager and JMP Server
  • OpenSSL needs to be installed

 

The steps I have to take to complete this session are the following:

  • Prepare Template
  • Request Certificate
  • Export the Certificate to PFX
  • Extract certificate and private key from PFX file and convert the private key to PEM format
  • Configure NGINX to use the certificate and PEM-formatted key file

 

Prepare Template

I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my App Volumes server to this group in ADUC. To activate this membership I reboot my App Volumes server.

JMP_UseDomainCA-02

AppVolumes_UseDomainCA-02

 

Request Certificate

Once the App Volumes Server is restarted, I login and request a new certificate from my CA. Start Microsoft Management Console

AppVolumes_UseDomainCA-03

 

Add Certificates Snap-in

AppVolumes_UseDomainCA-04

AppVolumes_UseDomainCA-05

 

Select Computer Account, Next…

AppVolumes_UseDomainCA-06

 

Local computer, Next…

AppVolumes_UseDomainCA-07

 

OK…

AppVolumes_UseDomainCA-08

 

Request certificate from Domain CA

AppVolumes_UseDomainCA-09

 

The Certificate Enrollment Wizard launches, Next…

AppVolumes_UseDomainCA-10

 

I have used my domain CA, so i select Active Directory Enrollment Policy, Next…

AppVolumes_UseDomainCA-11

 

I click the yellow “Click here to continue” on my Horizon Services template

AppVolumes_UseDomainCA-12

 

I populate the following values in the subject information fields:

  • CN – This must be the FQDN of your Manager server, in my case: “view-appvol01.ad.admin.frelab.net”
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State

AppVolumes_UseDomainCA-13

 

I give the certificate a friendly name and make sure to check “Make private key exportable, OK…

AppVolumes_UseDomainCA-14

AppVolumes_UseDomainCA-15

 

Back in the Certificate Enrollment Wizard I check my Horizon Services template, Enroll…

AppVolumes_UseDomainCA-16

 

Finish…

AppVolumes_UseDomainCA-17

 

I can now verify my certificate properties from the certificate MMC, looks excellent.

AppVolumes_UseDomainCA-18

AppVolumes_UseDomainCA-19

AppVolumes_UseDomainCA-20

 

Export the Certificate to PFX

In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.

AppVolumes_UseDomainCA-21

 

Next…

AppVolumes_UseDomainCA-22

 

Yes, export the private key, Next…

AppVolumes_UseDomainCA-23

 

I check “Export all extended properties”, Next…

AppVolumes_UseDomainCA-24

 

I enter a password, Next…

AppVolumes_UseDomainCA-25

 

I specify a location and filename, Next…

AppVolumes_UseDomainCA-26

 

Finish…

AppVolumes_UseDomainCA-27

 

Extract certificate and private key from PFX file and convert the private key to PEM format

From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.

“openssl pkcs12 –in c:\tmp\view-appvol01.pfx –nocerts –out c:\tmp\view-appvol01.key”

“openssl rsa –in c:\tmp\view-appvol01.key -outform PEM –out c:\tmp\view-appvol01-PEM.key”

“openssl pkcs12 –in c:\tmp\view-appvol01.pfx –clcerts –nokeys –out c:\tmp\view-appvol01.crt”

AppVolumes_UseDomainCA-28

 

This produces the following files

AppVolumes_UseDomainCA-29

 

Configure NGINX to use the certificate and PEM-formatted key file

Before I can configure NGINX to use my new certificate and key, I need to stop the App Volumes ‘ Services.

AppVolumes_UseDomainCA-30

 

I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf”  (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)

AppVolumes_UseDomainCA-31

 

From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.

AppVolumes_UseDomainCA-32

 

Finally, I start up the App Volumes’ services again.

AppVolumes_UseDomainCA-33

 

I can now verify certificate configuration in App Volumes Manager GUI

AppVolumes_UseDomainCA-34

 

Next, I’ll log into the Horizon JMP server and rename the existing App Volumes certificate in C:\Program Files (x86)\Vmware\JMP\com

AppVolumes_UseDomainCA-35

AppVolumes_UseDomainCA-36

 

Then I open the App Volumes manager web page from within the JMP Server desktop and export the new certificate to C:\Program Files (x86)\Vmware\JMP\com

AppVolumes_UseDomainCA-37

AppVolumes_UseDomainCA-38

AppVolumes_UseDomainCA-39

AppVolumes_UseDomainCA-40

 

Back in the C:\Program Files (x86)\VMware\JMP\com, I see that my exported certificate has the .cer extension.

AppVolumes_UseDomainCA-41

 

I remove the .cer extension and restart the JMP Services

AppVolumes_UseDomainCA-42

AppVolumes_UseDomainCA-43

 

I now log into “/newadmin” and verify the App Volumes configuration

AppVolumes_UseDomainCA-44

 

As we can see from the image above, the new certificate is accepted nicely into Horizon JMP. And that concludes my session about setting up App Volumes Manager with Domain CA signed certificate.

 

 

 

 

VMware Horizon JMP on VMware Tech Zone

VMware Horizon JMP planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Your email address will not be published. Required fields are marked *