VMware Horizon JMP – Replace JMP Server self-signed certificate with Domain CA signed certificate
Welcome to my VMware Horizon JMP series. This session will cover the basics around using a domain CA signed certificate on the JMP server, instead of the self-signed certificate. The reason for me doing this, is that with a domain CA signed certificate, I don’t have to export the self-signed certificate from the JMP server to the connection servers’ Trusted Root Certification Authorities Store, to get it trusted. This also eliminates future problems when connection servers are re-installed and the like.
Prerequisites for completing these tasks are:
- Access to the domain’s CA and permissions to create/edit certificate templates
- Administrative access to the JMP and Horizon Connection server
- OpenSSL needs to be installed
The steps I have to take to complete this session are the following:
- Prepare Template
- Request Certificate
- Export the Certificate to PFX
- Extract certificate and private key from PFX file and convert the private key to PEM format
- Configure NGINX to use the certificate and PEM-formatted key file
Prepare Template
I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my JMP-server to this group in ADUC. To activate this membership I reboot my JMP server.
Request Certificate
Once the JMP Server is restarted, I login and request a new certificate from my CA.
The Certificate Enrollment Wizard launches, Next…
I have used my domain CA, so i select Active Directory Enrollment Policy, Next…
I click the yellow “Click here to continue” on my Horizon Services template
I populate the following values in the subject information fields:
- CN – This must be the FQDN of your Manager server, in my case: “view-jmp01.ad.admin.frelab.net”
- Country (C)
- Locality (L)
- Organization (O)
- Organizational Unit (OU)
- State
I give the certificate a friendly name and make sure to check “Make private key exportable, OK…
Back in the Certificate Enrollment Wizard I check my Horizon Services certificate, Enroll…
Finish…
I can now verify my certificate properties from the certificate MMC, looks excellent.
Export the Certificate to PFX
In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.
Next…
Yes, export the private key, Next…
I check “Export all extended properties”, Next…
I enter a password, Next…
I specify a location and filename, Next…
Finish…
Extract certificate and private key from PFX file and convert the private key to PEM format
From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.
“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –nocerts –out c:\tmp\view-jmp01.key”
“openssl rsa –in c:\tmp\view-jmp01.key -outform PEM –out c:\tmp\view-jmp01-PEM.key”
“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –clcerts –nokeys –out c:\tmp\view-jmp01.crt”
This produces the following files
Configure NGINX to use the certificate and PEM-formatted key file
Before I can configure NGINX to use my new certificate and key, I need to stop the Horizon JMP Services.
I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\VMware\JMP\com\XMS\nginx\conf” (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)
From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.
Finally, I start up the JMP services again.
Now that I’m done configuring the JMP server certificate, I can proceed with configuring Horizon JMP, covered here: VMware Horizon JMP – Configuration
VMware Horizon JMP on VMware Tech Zone
VMware Horizon JMP planning, deployment etc.
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.