vCenter SSL certificate and XenDesktop (PoSH script)

vCenterRebuilding your XenDesktop lab environment, everybody does it and everybody runs into that issue when you configure the vCenter connection from Citrix Studio with a self-signed certificate.

 

After my initial installation of XenDesktop I configured XenDesktop to point at my vCenter appliance which has a self signed SSL certificate.. which resulted in:

Citrix has posted a procedure to configure this properly:

According to the XenDesktop Admin Guide in Citrix eDocs (http://support.citrix.com/proddocs/topic/xendesktop-7/cds-vmware-rho.html) a simple solution to this challenge is to connect to vCenter using IE, accept the security warning, click on the certificate warning and install the server certificate on the XenDesktop Broker.Unfortunately this does not work in all cases. But luckily there is another option to make it work:1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“2. Copy the cacert.pem file to your XenDesktop Broker (to the C:\Temp directory for example)3. Open a Microsoft Management Console (by running the mmc.exe command) as an Administrator4. Add the Certificates Snap-In and select to manage certificates for the local computer account.

5. Browse to „Trusted Root Certification Authorities“ and select Import

6. Import the cacert.pem file. (You need to select „All Files“ from the dropdown menu in the lower right hand corner, to be able to see it)

7. Now you should be able to see the vCenter certificate in the list of trusted certificates and XenDesktop should connect to vCenter without any error message.

Obviously there are good reasons for not using self-signed certificates in production environments, so you should use the aforementioned technique for POC environments only. For all other cases go and get a proper server certificate.

As I was configuring multiple XenDesktop Delivery Controllers I didn’t want to follow this procedure multiple times so I wrote a small PoSH script to walk you through these steps:

1) Ask you for the vCenter IP address

2) Ask you for the vCenter FQDN

3) Will check if the vCenter FQDN is reachable

4) If it is it will proceed with step 6

5) If it’s not reachable it will put the vCenter IP address and vCenter FQDN in your local HOSTS file

6) It will get the SSL Certificate from your vCenter and import it into the “Trusted People” Computer store.

You can get your copy of the script here:

The XenDesktop SSL script version 1 (signed) can be downloaded here:XenDesktop SSL Config (Signed) (606)

The XenDesktop SSL script version 1 (unsigned) can be downloaded here:XenDesktop SSL Config (Unsigned) (617)

Thanks to Andrew Morgan for the sanity check of my attempt to script and Carl Webster for his endless work on his PoSH scripts (which I took as an example for this script).

The following two tabs change content below.

Kees Baggerman

Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.

2 comments

  1. Websterer says:

    Kees,

    Thanks for this info. The path changed in vCenter 6. I had to use IE, browse to my vCenter FQDN and import the cert into Trusted People in order to get Studio to create the Connection.

    Webster

  2. […] on my earlier script to import the SSL certificate for vCenter I decided to do the same for the Nutanix PRISM interface, the previous script could be easily reused […]

Leave a Reply