VMware App Volumes – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate

Release date: April 24th 2021

Welcome to my VMware App Volumes series. This session will cover the basics around using a domain CA signed certificate on the App Volumes Manager server, instead of the self-signed certificate. This will ensure that the certificate is trusted by all domain joined computers and will be easier to maintain in the future.

Prerequisites for completing these tasks are:

  • Access to the domain’s CA and permissions to create/edit certificate templates
  • Administrative access to the App Volumes Manager and JMP Server
  • OpenSSL needs to be installed

The steps I have to take to complete this session are the following:

  • Prepare Template
  • Request Certificate
  • Export the Certificate to PFX
  • Extract certificate and private key from PFX file and convert PEM format
  • Configure NGINX to use the certificate and PEM-formatted key file

Prepare Template

I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my App Volumes server to this group in ADUC. To activate this membership I reboot my App Volumes server.

JMP_UseDomainCA-02
AppVolumes_UseDomainCA-02

Request Certificate

Once the App Volumes Server is restarted, I login and request a new certificate from my CA. First, I have to open the certificates.mmc, this can be done the “hard way” as shown below, or simply by running certlm.msc from an administrative prompt

certlm.msc

Start Microsoft Management Console

AppVolumes_UseDomainCA-03

Add Certificates Snap-in

AppVolumes_UseDomainCA-04
AppVolumes_UseDomainCA-05

Select Computer Account, Next…

AppVolumes_UseDomainCA-06

Local computer, Next…

AppVolumes_UseDomainCA-07

OK…

AppVolumes_UseDomainCA-08

Request certificate from Domain CA

AppVolumes_UseDomainCA-09

The Certificate Enrollment Wizard launches, Next…

AppVolumes_UseDomainCA-10

I have used my domain CA, so i select Active Directory Enrollment Policy, Next…

AppVolumes_UseDomainCA-11

I click the yellow “Click here to continue” on my Horizon Services template

AppVolumes_UseDomainCA-12

I populate the following values in the subject information fields:

  • CN – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State

I also add the FQDN to DNS under Alternative Name

  • DNS – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”

I give the certificate a friendly name and make sure to check “Make private key exportable, OK…

AppVolumes_UseDomainCA-15

Back in the Certificate Enrollment Wizard I check my Horizon Services template, Enroll…

AppVolumes_UseDomainCA-16

Finish…

AppVolumes_UseDomainCA-17

I can now verify my certificate properties from the certificate MMC, looks excellent.

Export the Certificate to PFX

In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.

AppVolumes_UseDomainCA-21

Next…

AppVolumes_UseDomainCA-22

Yes, export the private key, Next…

AppVolumes_UseDomainCA-23

I check “Export all extended properties”, Next…

AppVolumes_UseDomainCA-24

I enter a password, Next…

AppVolumes_UseDomainCA-25

I specify a location and filename, Next…

Finish…

Extract certificate and private key from PFX file and convert the private key to PEM format

From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.

openssl pkcs12 –in c:\tmp\view-appvol01.pfx –nocerts –out c:\tmp\view-appvol01.key

openssl rsa –in c:\tmp\view-appvol01.key -outform PEM –out c:\tmp\view-appvol01-PEM.key

openssl pkcs12 –in c:\tmp\view-appvol01.pfx –clcerts –nokeys –out c:\tmp\view-appvol01.crt
AppVolumes_UseDomainCA-28

This produces the following files

AppVolumes_UseDomainCA-29

Configure NGINX to use the certificate and PEM-formatted key file

Before I can configure NGINX to use my new certificate and key, I need to stop the App Volumes ‘ Services.

AppVolumes_UseDomainCA-30

I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf”  (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)

AppVolumes_UseDomainCA-31

From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.

AppVolumes_UseDomainCA-32

Finally, I start up the App Volumes’ services again.

AppVolumes_UseDomainCA-33

I can now verify certificate configuration in App Volumes Manager GUI

AppVolumes_UseDomainCA-34

That concludes my session about setting up App Volumes Manager with Domain CA signed certificate.

Official VMware App Volumes Documentation

VMware Horizon JMP planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: