First we need to understand how certificates work. The commercially signed certificate we get from Godaddy, Geotrust, Verisign,etc. is usually signed by an intermediate certificate, which is signed by a root certificate. This is commonly referred to as the certificate "Chain". By default in Windows we are blind to this because most major commercial certificates are pre-populated in our "Trusted Certificate Store" within windows, because Microsoft decided that we should trust those people they pre-populate for us. Trusting somebody's SSL cert is all about validating the chain. No exception is made in VIEW.
In the Teradici firmware they are of the mindset that we, the administrators, will decide who to trust. As a result they have included 0 pre-populated root or other certificates. If you do not do this you may recieve teh error message that says something to the effect of "the certificate is not rooted in the local devices certificate store" on the PCoIP thin client. We need to put whatever certs we want to trust into the device. This can be done in two ways;
- Through the device directly - we would login to the web interface of the device and select the Upload > Certificate at the top of the screen.
- This will bring us to a selection screen to upload the certificates of our choice
- Second we could do the same thing in the PCoIP management console by importing the certificates into a profile
At this point you may be thinking, this is great but where do I find these certificates? And here is my answer. It depends. I'll give what I think is going to be the scenario you'll find in most VMware VIEW deployments but there are a variety of ways to obtain the Root, Intermediate and client cert. By the time you get to this point you will more than likely have upgraded your view environment. If this is the case you'll have imported the Commercially Signed Certificate into your connection brokers. This is a great place to get this information. Visit the URL for your connection server, as if you were connecting to it to be provisioned a desktop.
- Click the little lock in the address bar. It will be in different places depending on the browser I'm using Chrome
- Next you'll see a certificate information link and you'll want to click that, which brings up a familiar box containing certificate information
- Now we want to grab the two certificates listed on the top two lines. These are the intermediate and the root certificate, which is the whole certificate chain. You'll do this by selecting each one, one at a time and choosing view certificate
- Choose the Details tab and select copy to file
- This launches a wizard which will allow you to export the certificate. Choose the correct file type, like in the picture below.
- After the file is saved it will save as a .cer file, simply rename it to .pem. It needs to be .pem for the teradici appliances to understand it. Follow the instructions above to upload and you should be good to go.