Update VMware Horizon View SSL Certs with your own Windows Domain CA Certificates using PowerShell
Well, this script was different. Unlike the other posts in this series, I was required to use only Microsoft command line tools instead of OpenSSL. Not that I'm opposed to using certreq and certutil -- I actually started this whole cert automation project to see if it was possible to use only these tools and PowerShell, but ultimately it appeared that for whatever crypto reason, OpenSSL was required for the replacement of vSphere SSL certs.
So it was especially surprising to me that no matter how I imported/exported the OpenSSL generated keys, nothing worked until I used certreq and certutil. If anyone knows the reasons, I'd love to hear them.
ReplaceSSL-View.ps1 backs up the old certificate found in your Machine Certificate Store, adds a new one with the proper FriendlyName "vdm" and restarts all View services.
#########################################################################################
VMware Horizon View SSL Generation and Replacement script version 0.5
Tested on View 5.2
No guarantees, warranties, etc.
Blog post: https://goo.gl/bFApH
#########################################################################################
Place the certs on a network location if your farm is larger than one server
$basedir = "\\fileserver\share\Certs"
Enter your Windows Certificate Authority information
below. Make sure it responds to certutil requests.
$rootCA = "dc.base.local" $rootCAName = "BASE-DC-CA" $email = "[email protected]" $org = "NetNerds" $city = "Kaplan" $state = "LA" $country = "US"
View install directory
$viewdir = "C:\Program Files\VMware\VMware View"
##############################################################################################
You probably don't need to change anything below.
##############################################################################################
if ((Get-WmiObject Win32\_Service | where-object {$\_.DisplayName -like 'VMware View\*'}).Count -eq 0) {
Write-Host "No View Services found. Script terminating."; exit
}
$thisfqdn = ("$env:computername.$env:userdnsdomain").ToLower()
$backuptime = (Get-Date -uformat "%m%d%Y%H%M%S")
$backupdir = "$servicedir\\backup-$backuptime"
$certTemplate = "CertificateTemplate:WebServer"
if (!(Test-Path "$basedir")) { $null = New-Item -Type Directory "$basedir" }
Write-Host -Foreground "DarkBlue" -Background "White" "Downloading root CA Cert.."
$wc = New-Object System.Net.WebClient
$url = "https://$rootCA/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Enc=b64"
$root64 = "$basedir\\Root64.cer"
$wc.UseDefaultCredentials = $true; $wc.DownloadFile($url,$root64)
######################################################################
Generate Certs
######################################################################
Write-Host -Foreground "DarkBlue" -Background "White" "Generating service certs.."
$service = "$thisfqdn-view"
$server = $thisfqdn.Substring(0,$thisfqdn.IndexOf("."))
$servicedir = "$basedir\\$service"
$servicecfg = "$servicedir\\request.inf"
$servicecsr = "$servicedir\\$service.csr"
$servicecrt = "$servicedir\\$service.crt"
$servicepfx = "$servicedir\\$service.pfx"
$keyalias = "vdm"
if (Test-Path($servicedir)) { $null = Remove-Item "$servicedir\\\*.\*" } else {$null = mkdir $servicedir }
Set-Content $servicecfg "\[Version\]"
Add-Content $servicecfg 'Signature="$Windows NT$"'
Add-Content $servicecfg "\[NewRequest\]"
Add-Content $servicecfg "Subject = ""CN=$thisfqdn, OU=View, O=$org, L=$city, S=$state, C=$country"""
Add-Content $servicecfg "KeySpec = 1"
Add-Content $servicecfg "KeyLength = 2048"
Add-Content $servicecfg "Exportable = TRUE"
Add-Content $servicecfg "MachineKeySet = TRUE"
Add-Content $servicecfg "FriendlyName=""vdm"""
Add-Content $servicecfg "SMIME = False"
Add-Content $servicecfg "PrivateKeyArchive = FALSE"
Add-Content $servicecfg "UserProtected = FALSE"
Add-Content $servicecfg "UseExistingKeySet = FALSE"
Add-Content $servicecfg "ProviderName = ""Microsoft RSA SChannel Cryptographic Provider"""
Add-Content $servicecfg "ProviderType = 12"
Add-Content $servicecfg "RequestType = PKCS10"
Add-Content $servicecfg "KeyUsage = 0xa0"
Add-Content $servicecfg "\[EnhancedKeyUsageExtension\]"
Add-Content $servicecfg "OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication"
Add-Content $servicecfg "\[RequestAttributes\]"
Add-Content $servicecfg "SAN=""DNS=$thisfqdn&DNS=$server"""
$oldcert = (Get-ChildItem Cert:\\LocalMachine\\My -Recurse | Where-Object {$\_.Friendlyname -eq 'vdm'})
certreq -new $servicecfg $servicecsr
certreq -submit -config ""$rootCA\\$rootCAName"" -attrib $certTemplate $servicecsr $servicecrt $servicepfx
certreq -accept -machine $servicecrt
###############################################################################
Update View
###############################################################################
Write-Host -Foreground "DarkBlue" -Background "White" "Updating View Certs.."
$viewServices = (Get-WmiObject Win32\_Service | where-object {$\_.DisplayName -like 'VMware View\*' -and $\_.State -eq 'Running'})
Write-Host -Foreground "DarkBlue" -Background "White" "Stopping View Services.."
if ($viewServices -ne $null) {$viewServices | Stop-Service }
Write-Host -Foreground "DarkBlue" -Background "White" "Adding new certificate.."
$null = (New-Item -Type Directory $backupdir)
if ((Get-ChildItem cert:\\LocalMachine\\My -Recurse | Where-Object {$\_.Friendlyname -eq 'vdm'}).Count -gt 1) {
Write-Host -Foreground "DarkBlue" -Background "White" "Removing old certificate.."
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store My, LocalMachine
$store.Open("ReadWrite")
$bytes = ($oldcert.export(\[System.Security.Cryptography.X509Certificates.X509ContentType\]::Cert))
$null = (\[System.IO.File\]::WriteAllBytes("$backupdir\\vdm.crt", $bytes))
$store.Remove($oldcert)
$store.Close()
}
if ($viewServices -ne $null) {$viewServices | Start-Service }
###############################################################################
Finish
###############################################################################
Write-Host -Foreground "DarkBlue" -Background "White" "Done!"
Download ReplaceSSL-View.ps1
All SSL Certificate Replacement Posts and Scripts in this Series
vSphere 4.1-5.0 SSL Generation and Replacement Post |