First we need to understand how certificates work. The commercially signed certificate we get from Godaddy, Geotrust, Verisign,etc. is usually signed by an intermediate certificate, which is signed by a root certificate. This is commonly referred to as the certificate "Chain". By default in Windows we are blind to this because most major commercial certificates are pre-populated in our "Trusted Certificate Store" within windows, because Microsoft decided that we should trust those people they pre-populate for us. Trusting somebody's SSL cert is all about validating the chain. No exception is made in VIEW.
In the Teradici firmware they are of the mindset that we, the administrators, will decide who to trust. As a result they have included 0 pre-populated root or other certificates. If you do not do this you may recieve teh error message that says something to the effect of "the certificate is not rooted in the local devices certificate store" on the PCoIP thin client. We need to put whatever certs we want to trust into the device. This can be done in two ways;
- Through the device directly - we would login to the web interface of the device and select the Upload > Certificate at the top of the screen.
- This will bring us to a selection screen to upload the certificates of our choice
- Second we could do the same thing in the PCoIP management console by importing the certificates into a profile
At this point you may be thinking, this is great but where do I find these certificates? And here is my answer. It depends. I'll give what I think is going to be the scenario you'll find in most VMware VIEW deployments but there are a variety of ways to obtain the Root, Intermediate and client cert. By the time you get to this point you will more than likely have upgraded your view environment. If this is the case you'll have imported the Commercially Signed Certificate into your connection brokers. This is a great place to get this information. Visit the URL for your connection server, as if you were connecting to it to be provisioned a desktop.
- Click the little lock in the address bar. It will be in different places depending on the browser I'm using Chrome
- Next you'll see a certificate information link and you'll want to click that, which brings up a familiar box containing certificate information
- Now we want to grab the two certificates listed on the top two lines. These are the intermediate and the root certificate, which is the whole certificate chain. You'll do this by selecting each one, one at a time and choosing view certificate
- Choose the Details tab and select copy to file
- This launches a wizard which will allow you to export the certificate. Choose the correct file type, like in the picture below.
- After the file is saved it will save as a .cer file, simply rename it to .pem. It needs to be .pem for the teradici appliances to understand it. Follow the instructions above to upload and you should be good to go.
I just wanted to add one thing, I had to enable "802.1X Authentication Identity" under security config in PCoIP MC.
ReplyDeleteThanks for the post though, it did help once I figured out that one box had to be checked as well.
Hello Anonymous,
ReplyDeleteI checked into this and I did not have to enable "802.1x Authentication Identity" to get this working. This selection should only apply if you are in fact using 802.1x authentication.
Nice post Brad on how certificates works.
ReplyDeleteI have a question. If I have internal thin client and if they don't have access to internet, Can I use commercially signed certs for View connection servers? As per your post, I simply need to import certs on to device if they doesn't exist?
Scenario is, View clients connects from internal and external network ( VPN) with out Security server.
Hi Virtualcloudz,
ReplyDeleteThanks for the comment. To answer your question yes you can still use commercial certs, however you don't need to. Basically the only requirement is that the certificate of the connection server is trusted by the thin client. Regardless of if you use a commercially signed cert or not the thin client needs to have the root certificate, and any intermediate certificates, that are in the certificate chain of the commercial/non-commercial cert. when you purchase a commercial cert they will give these items to you when you download your certificate from them. Just keep in mind they have to be in .pem format.
-Brad
This comment has been removed by the author.
ReplyDeleteThanks for reply Brad.
ReplyDeleteI am using commercially signed certs because I will have clients who will be connecting from outside corporate network. If I use self signed CA certs, I believe it will the pain to distribute certs to unknown number/ type of devices.
Thanks,
This was a huge help! Thank you for this.
ReplyDelete
ReplyDeleteThanks on your marvelous posting! I certainly enjoyed reading it, you can be a great author. I will make sure to bookmark your blog and will eventually come back from now on. I want to encourage you continue your great posts, have a nice evening! facebook sign in
ankara
ReplyDeletesakarya
tekirdağ
kastamonu
amasya
B0RS
FB951
ReplyDeletereferans
80DDD
ReplyDeletegörüntülü sohbet uygulama
Şırnak Kadınlarla Görüntülü Sohbet
bolu kadınlarla görüntülü sohbet
agri mobil sohbet chat
telefonda kadınlarla sohbet
sesli görüntülü sohbet
osmaniye sesli sohbet mobil
tunceli telefonda kızlarla sohbet
Hakkari Parasız Görüntülü Sohbet Uygulamaları
9407C
ReplyDeleteLinkedin Beğeni Hilesi
Soundcloud Takipçi Hilesi
Youtube Abone Hilesi
Threads İzlenme Hilesi
Likee App Takipçi Hilesi
Binance Referans Kodu
Tiktok Takipçi Satın Al
Shibanomi Coin Hangi Borsada
Twitch Takipçi Satın Al
76E3D
ReplyDeletegüvenilir kripto para siteleri
poloniex
kantaron sabunu
gate io
en güvenilir kripto borsası
tarçın sabunu
paribu
ısırgan sabunu
kayısı sabunu
EF76A
ReplyDeletepoloniex
binance
kraken
sohbet canlı
referans kimligi nedir
bitrue
binance referans kimliği
huobi
mexc
1EBC290140
ReplyDeletethemra macun
lady era
stag
canli cam show
whatsapp görüntülü şov
kamagra
telegram show
ücretli şov
cialis
EA371D1785
ReplyDeletecialis
bufalo çikolata
sinegra
vigrande
kaldırıcı
cam şov
canli cam show
viagra
bufalo içecek
81D338ED77
ReplyDeleteücretli show
C63C035F02
ReplyDeletecanli web cam show
vega
maxman
vigrande
lifta
sertleştirici
ücretli show
fx15 zayıflama hapı
whatsapp görüntülü şov