If you have ever used Let’s Encrypt SSL certificates, you know they are easy to use and free! The free part is the best part of the solution. Especially if you run a home lab, Let’s Encrypt provides a great option for installing proper certificates in your environment. What about VMware Horizon? I wanted to go through the steps to show how to install a Let’s Encrypt certificate in a VMware Horizon environment. How do you do this for your UAG box and your Load balancer as well as DNS configuration considerations for internal clients? Let’s look at how to install VMware Horizon 7 Lets Encrypt SSL certificate and see how this can be done.
What is Let’s Encrypt?
First, what if Let’s Encrypt is totally foreign to you? What is it? By their own defination, they are a free, automated, and open certificate authority CA that has been established for the benefit of the public. It is provided by the Internet Security REsearch Group (ISRG).
Since the security of the data that is transmitted across the Internet relies on SSL encryption, SSL certs are a huge deal. You want to have SSL certificates installed on all your forward facing sites, and other services. By now that should be a basic requirement that is by default, no questions asked.
Now that we have great resources like Let’s Encrypt, it makes SSL certificates a non issue from a cost perspective as well. What are the key concepts behind Let’s Encrypt?
- It’s free
- It can be automatically configured to renew, etc
- Secure – uses TLS security best practices
- Transparent security – all certs are available for viewing and scrutiny
- Open standard
- Joint effort – Let’s Encrypt is a joint effort to benefit the Internet community with better security across the board
Install VMware Horizon 7 Lets Encrypt SSL Certificate
The workflow that I will be following to install Let’s Encrypt certificates in my VMware Horizon 7 environment is as follows:
- On the Windows-based Horizon Connection Server, run the Let’s Encrypt “win-acme” program to generate the certificate in the local certificate store
- Also generate a PEM formatted certificate for use on the UAG boxes
- Install the Let’s Encrypt certificate on UAG boxes
- Install the Let’s Encrypt certificate on Load balancer in front of connection servers
- Reconfigure the thumbprint of the certificate on the UAG boxes to match the new thumbprint presented by the Let’s encrypt certificate
Running the Win-Acme Tool
Let’s Encrypt has a free tool available on Github that can be used for creating, or renewing your certificates. We will use this to generate a new certificate for our Horizon environment.
The win-acme tool is basically a wizard via the command line that provides a workflow based on the inputs you give to the menus. Here we are going to Create new certificates with advanced options.
Here we are choosing to manually input the host names.
Next, choose the hostname and friendly name for the certificate.
Choose how you want to validate the certificate. There are many options for this including from memory, DNS records, scripts, and others. Also, we are going to place the certificate in the certificate store of the Horizon connection server.
A note here, the cert created in the certificate store is not actually going to be assigned to the Connection Server. However, placing it here gives you options to export and other capabilities. The PEM files will be used to import to the UAG boxes.
In the next step, as mentioned, we are creating PEM files in addition to the certificate store placement. This will produce the PEM format needed for the UAG boxes without having to do any converting using OpenSSL. You have to define a path for the output of the PEM files.
Finally, the utility actually creates the certificate and outputs the additional PEM files to the folder.
You get two PEM files. One is the PEM “key” and the other is the certificate.
Install the Let’s Encrypt PEM SSL Certificate on the UAG boxes
Login to your UAG admin interface. Navigate to Advanced Settings > TLS Server Certificate Settings
Now, I have copied my certificate files to my admin workstation that were created on the Horizon Connection Server to a folder on my desktop. After logging into the UAG box, I select key and chain files accordingly for the TLS Server Certificate settings.
Once you save the new certificate, your browser will display the message similar to below. Depending on which options you select, the message will display what services the certificate is applied to.
Once you refresh your browser session, you can view the certificate that is presented and make sure it is the new certificate you have installed. You can verify this by the Issued to as well as the Valid from fields.
After installing on the UAG boxes, if you have a load balancer in your environment, you can also install your new cert there as well. I have a load balancer in front of my connection servers in the lab.
I can install the cert here as well. Then, using DNS, I can point clients to the proper name internally with the cert on the load balancer as well as have the cert on the UAG boxes for external access.
For a tutorial on standing up an easy Horizon load balancer, see here:
There is another step we need to take. The UAG box relies on the correct thumbprint on the cert to make a connection to the Horizon edge services. As you can see below, we now have an error on the Horizon Destination Server due to the cert thumbprint changing.
Since I am pointing from the UAG box to my load balancer, I need to get the thumbprint from the new certificate that I now have installed on the load balancer. Open a browser, view your cert, and get the Thumbprint value.
Go back to your UAG and under Horizon settings replace the Connection SErver URL Thumbprint with the new value. The format is to start the string with sha1= and then your thumbprint with a space in between every two characters.
After replacing the certificate thumbprint value and refreshing the services, we now have all green.
The process to Install VMware Horizon 7 Lets Encrypt SSL Certificate in your environment is pretty straightforward. Using the utility, you can easily spin up a new certificate in the correct PEM format to install on your UAG boxes.
As shown, a few other steps may be required if you are using a load balancer. Also, you will need to replace the thumbprint on your UAG box pointed to the connection server environment, whether this is the load balancer or a direct connection with your Horizon Connection Server. However, this is a standard step you have to perform regardless.