VMware Horizon JMP – Replace JMP Server self-signed certificate with Domain CA signed certificate

Welcome to my VMware Horizon JMP series. This session will cover the basics around using a domain CA signed certificate on the JMP server, instead of the self-signed certificate. The reason for me doing this, is that with a domain CA signed certificate, I don’t have to export the self-signed certificate from the JMP server to the connection servers’ Trusted Root Certification Authorities Store, to get it trusted. This also eliminates future problems when connection servers are re-installed and the like.

Prerequisites for completing these tasks are:

  • Access to the domain’s CA and permissions to create/edit certificate templates
  • Administrative access to the JMP and Horizon Connection server
  • OpenSSL needs to be installed

 

The steps I have to take to complete this session are the following:

  • Prepare Template
  • Request Certificate
  • Export the Certificate to PFX
  • Extract certificate and private key from PFX file and convert the private key to PEM format
  • Configure NGINX to use the certificate and PEM-formatted key file

 

Prepare Template

I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my JMP-server to this group in ADUC. To activate this membership I reboot my JMP server.

JMP_UseDomainCA-02

JMP_UseDomainCA-01

 

Request Certificate

Once the JMP Server is restarted, I login and request a new certificate from my CA.

JMP_UseDomainCA-03

 

The Certificate Enrollment Wizard launches, Next…

JMP_UseDomainCA-04

 

I have used my domain CA, so i select Active Directory Enrollment Policy, Next…

JMP_UseDomainCA-05

 

I click the yellow “Click here to continue” on my Horizon Services template

JMP_UseDomainCA-06

 

I populate the following values in the subject information fields:

  • CN – This must be the FQDN of your Manager server, in my case: “view-jmp01.ad.admin.frelab.net”
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State

JMP_UseDomainCA-07

 

I give the certificate a friendly name and make sure to check “Make private key exportable, OK…

JMP_UseDomainCA-08

JMP_UseDomainCA-09

 

Back in the Certificate Enrollment Wizard I check my Horizon Services certificate, Enroll…

JMP_UseDomainCA-10

 

Finish…

JMP_UseDomainCA-11

 

I can now verify my certificate properties from the certificate MMC, looks excellent.

JMP_UseDomainCA-12

JMP_UseDomainCA-13

JMP_UseDomainCA-14

 

Export the Certificate to PFX

In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.

JMP_UseDomainCA-15

 

Next…

JMP_UseDomainCA-16

 

Yes, export the private key, Next…

JMP_UseDomainCA-17

 

I check “Export all extended properties”, Next…

JMP_UseDomainCA-18

 

I enter a password, Next…

JMP_UseDomainCA-19

 

I specify a location and filename, Next…

JMP_UseDomainCA-20

 

Finish…

JMP_UseDomainCA-21

 

Extract certificate and private key from PFX file and convert the private key to PEM format

From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.

“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –nocerts –out c:\tmp\view-jmp01.key”

“openssl rsa –in c:\tmp\view-jmp01.key -outform PEM –out c:\tmp\view-jmp01-PEM.key”

“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –clcerts –nokeys –out c:\tmp\view-jmp01.crt”

JMP_UseDomainCA-22

 

This produces the following files

JMP_UseDomainCA-23

 

Configure NGINX to use the certificate and PEM-formatted key file

Before I can configure NGINX to use my new certificate and key, I need to stop the Horizon JMP Services.

JMP_UseDomainCA-23_1

 

I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\VMware\JMP\com\XMS\nginx\conf”  (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)

JMP_UseDomainCA-24

 

From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.

JMP_UseDomainCA-25

 

Finally, I start up the JMP services again.

 

JMP_UseDomainCA-23_1

 

Now that I’m done configuring the JMP server certificate, I can proceed with configuring Horizon JMP, covered here: VMware Horizon JMP – Configuration

 

VMware Horizon JMP on VMware Tech Zone

VMware Horizon JMP planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.