Wednesday, June 13, 2012

Teradici Firmware version 4 and Certificates

After upgrading to VMware VIEW version 5.1 it has become apparent that certificate configurations are a huge part of getting the environment functioning at all. The VIEW Installation guides are good resources just read carefully. This post is relative to the teradici thin clients like the Wyse P20's or Samsun All in One monitors. I have seen a lot of posts in the communities on this certificate topic and what certificates are required to be stored on the Teradici based devices.

First we need to understand how certificates work. The commercially signed certificate we get from Godaddy, Geotrust, Verisign,etc. is usually signed by an intermediate certificate, which is signed by a root certificate. This is commonly referred to as the certificate "Chain". By default in Windows we are blind to this because most major commercial certificates are pre-populated in our "Trusted Certificate Store" within windows, because Microsoft decided that we should trust those people they pre-populate for us. Trusting somebody's SSL cert is all about validating the chain. No exception is made in VIEW.

In the Teradici firmware they are of the mindset that we, the administrators, will decide who to trust. As a result they have included 0 pre-populated root or other certificates. If you do not do this you may recieve teh error message that says something to the effect of "the certificate is not rooted in the local devices certificate store" on the PCoIP thin client. We need to put whatever certs we want to trust into the device. This can be done in two ways;


  1. Through the device directly - we would login to the web interface of the device and select the Upload > Certificate at the top of the screen.
    1. This will bring us to a selection screen to upload the certificates of our choice
  2. Second we could do the same thing in the PCoIP management console by importing the certificates into a profile
At this point you may be thinking, this is great but where do I find these certificates? And here is my answer. It depends. I'll give what I think is going to be the scenario you'll find in most VMware VIEW deployments but there are a variety of ways to obtain the Root, Intermediate and client cert. By the time you get to this point you will more than likely have upgraded your view environment. If this is the case you'll have imported the Commercially Signed Certificate into your connection brokers. This is a great place to get this information. Visit the URL for your connection server, as if you were connecting to it to be provisioned a desktop. 


  1. Click the little lock in the address bar. It will be in different places depending on the browser I'm using Chrome
  2. Next you'll see a certificate information link and you'll want to click that, which brings up a familiar box containing certificate information
  3. Now we want to grab the two certificates listed on the top two lines. These are the intermediate and the root certificate, which is the whole certificate chain. You'll do this by selecting each one, one at a time and choosing view certificate
  4. Choose the Details tab and select copy to file
  5. This launches a wizard which will allow you to export the certificate. Choose the correct file type, like in the picture below.
  6. After the file is saved it will save as a .cer file, simply rename it to .pem. It needs to be .pem for the teradici appliances to understand it. Follow the instructions above to upload and you should be good to go.


14 comments:

  1. I just wanted to add one thing, I had to enable "802.1X Authentication Identity" under security config in PCoIP MC.

    Thanks for the post though, it did help once I figured out that one box had to be checked as well.

    ReplyDelete
  2. Hello Anonymous,

    I checked into this and I did not have to enable "802.1x Authentication Identity" to get this working. This selection should only apply if you are in fact using 802.1x authentication.

    ReplyDelete
  3. Nice post Brad on how certificates works.

    I have a question. If I have internal thin client and if they don't have access to internet, Can I use commercially signed certs for View connection servers? As per your post, I simply need to import certs on to device if they doesn't exist?

    Scenario is, View clients connects from internal and external network ( VPN) with out Security server.

    ReplyDelete
  4. Hi Virtualcloudz,

    Thanks for the comment. To answer your question yes you can still use commercial certs, however you don't need to. Basically the only requirement is that the certificate of the connection server is trusted by the thin client. Regardless of if you use a commercially signed cert or not the thin client needs to have the root certificate, and any intermediate certificates, that are in the certificate chain of the commercial/non-commercial cert. when you purchase a commercial cert they will give these items to you when you download your certificate from them. Just keep in mind they have to be in .pem format.

    -Brad

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Thanks for reply Brad.

    I am using commercially signed certs because I will have clients who will be connecting from outside corporate network. If I use self signed CA certs, I believe it will the pain to distribute certs to unknown number/ type of devices.

    Thanks,

    ReplyDelete
  7. This was a huge help! Thank you for this.

    ReplyDelete

  8. Thanks on your marvelous posting! I certainly enjoyed reading it, you can be a great author. I will make sure to bookmark your blog and will eventually come back from now on. I want to encourage you continue your great posts, have a nice evening! facebook sign in

    ReplyDelete