Release date: April 24th 2021
Welcome to my VMware App Volumes series. This session will cover the basics around using a domain CA signed certificate on the App Volumes Manager server, instead of the self-signed certificate. This will ensure that the certificate is trusted by all domain joined computers and will be easier to maintain in the future.
Prerequisites for completing these tasks are:
- Access to the domain’s CA and permissions to create/edit certificate templates
- Administrative access to the App Volumes Manager and JMP Server
- OpenSSL needs to be installed
The steps I have to take to complete this session are the following:
- Prepare Template
- Request Certificate
- Export the Certificate to PFX
- Extract certificate and private key from PFX file and convert PEM format
- Configure NGINX to use the certificate and PEM-formatted key file
I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my App Volumes server to this group in ADUC. To activate this membership I reboot my App Volumes server.
Once the App Volumes Server is restarted, I login and request a new certificate from my CA. First, I have to open the certificates.mmc, this can be done the “hard way” as shown below, or simply by running certlm.msc from an administrative prompt
Start Microsoft Management Console
Add Certificates Snap-in
Select Computer Account, Next…
Local computer, Next…
Request certificate from Domain CA
The Certificate Enrollment Wizard launches, Next…
I have used my domain CA, so i select Active Directory Enrollment Policy, Next…
I click the yellow “Click here to continue” on my Horizon Services template
I populate the following values in the subject information fields:
- CN – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”
- Country (C)
- Locality (L)
- Organization (O)
- Organizational Unit (OU)
I also add the FQDN to DNS under Alternative Name
- DNS – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”
I give the certificate a friendly name and make sure to check “Make private key exportable, OK…
Back in the Certificate Enrollment Wizard I check my Horizon Services template, Enroll…
I can now verify my certificate properties from the certificate MMC, looks excellent.
Export the Certificate to PFX
In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.
Yes, export the private key, Next…
I check “Export all extended properties”, Next…
I enter a password, Next…
I specify a location and filename, Next…
Extract certificate and private key from PFX file and convert the private key to PEM format
From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.
openssl pkcs12 –in c:\tmp\view-appvol01.pfx –nocerts –out c:\tmp\view-appvol01.key openssl rsa –in c:\tmp\view-appvol01.key -outform PEM –out c:\tmp\view-appvol01-PEM.key openssl pkcs12 –in c:\tmp\view-appvol01.pfx –clcerts –nokeys –out c:\tmp\view-appvol01.crt
This produces the following files
Configure NGINX to use the certificate and PEM-formatted key file
Before I can configure NGINX to use my new certificate and key, I need to stop the App Volumes ‘ Services.
I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf” (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)
From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.
Finally, I start up the App Volumes’ services again.
I can now verify certificate configuration in App Volumes Manager GUI
That concludes my session about setting up App Volumes Manager with Domain CA signed certificate.
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.