Welcome to my VMware App Volumes series. In this session I will describe how I replaced the default App Volumes Manager SSL certificate. Although the approach below will be adequate, and will work nicely in environments without a domain CA, it does require a little “handling” to get it to work with VMware Horizon JMP, among other. The upside of using a domain CA signed certificate, is that it is trusted by all domain joined computers and therefore greatly simplifies the deployment process.
Therefore, I have taken the time and changed my App Volumes Manager certificate to a domain CA signed certificate. The procedure describing how to do this, I have posted here: VMware App Volumes – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate. So if you have a domain CA, that is the preferred approach, when it comes to replacing App Volumes Manager self-signed certificate, if not, proceed with the OpenSSL approach explained below.
Replacing the App Volumes Manager SSL certificate using OpenSSL, was not as easy as I first thought. I actually found it to be a multi-tier procedure with the following tasks:
- Create a openssl.cfg file as described by VMware here: Replacing App Volumes Manager SSL Certificate (2095969)
- Download and install OpenSSL for Windows from here: https://slproweb.com/products/Win32OpenSSL.html
- Create a self-signed certificate using OpenSSL for Windows
- Deploy the new certificate
- Backup and edit nginx.conf
- Reboot server and test ssl-certificate
Create an openssl.cfg file
As described in VMware’s KB mentioned above, I first create the openssl.cfg-file and edit the line that starts with subjectAltName, as show below. I enter my server’s hostname, ip-address and fqdn. I also change the commonName at the bottom of the file.
Download and install OpenSSL for Windows
Pretty default procedure with download and next, next, next installation, no screenshots from this. If You experience problems with dll’s while trying to run the command below, download and install Visual C++ Redistributable Packages for Visual Studio 2013 from Microsoft
Create a self-signed certificate using OpenSSL for Windows
First I copy my openssl.cfg to “C:\Program Files\OpenSSL-Win64\bin”-folder and create the self-signed certificate, svserver.key and svserver.crt by running this command:
“Openssl req -nodes -new -x509 -keyout svserver.key -sha256 -out svserver.crt -days 3650 -config openssl.cfg -extensions v3_req”
Deploy the new certificate
Before I can copy the svserver.key and svserver.crt to “c:\Program Files (x86)\CloudVolumes\Manager\nginx\conf\”, I rename the existing files, just in case….
Backup and edit nginx.conf
First I stop the “App Volumes Manager” service and backup nginx.conf-file
In order to edit the nginx.conf-file I start an administrative cmd-prompt, launch notepad from cmd and open the nginx.conf-file manually
I update the ssl_certificate and ssl_certificate_key values with my own crt and key filenames
Reboot server and test ssl-certificate
Finally, I reboot the server and open VMware App Volumes Manager to verify the new certificate settings. Be aware, I use the hosts FQDN as URL, as this is what I setup in my openssl.cfg file. If I had used localhost when testing the certificate, this would fail. I click the certificate padlock to view the details. PS: I have seen, in some environments, the need to manually import the svserver.crt to the certificates store on the local server in order to finish this procedure successfully. This session’s procedure is also necessary to repeat on additional App Volumes Manager if you have any.
PS: It is important to use the correct url when testing the certificate, as it is configured to work with the fqdn in the openssl.cfg-file I created to begin with. If I had used https://localhost/login, there would have been a certificate-error on the login-page
VMware App Volumes Product Page
VMware App Volumes planning, deployment etc.
Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.
bjosoren's IT-Tech blog 