Installing properly recognized public external SSL certificate on UAG
From Notes_Wiki
<yambe:breadcrumb self="Installing properly recognized public external SSL certificate on UAG">VMWare Horizon|VMWare Horizon</yambe:breadcrumb>
Installing properly recognized public external SSL certificate on UAG
To install properly recognized public external SSL certificate in UAG use following steps:
- Login into UAG admin interface https://<FQDN>:9443/
- On the welcome page select "Configure Manually"
- In the General Settings > Edge Service Settings, click Show.
- Click the Horizon Settings gearbox icon.
- Validate "Connection Server URL". UAG should be able to resolve it via its DNS
- Validate "PCOIP External URL". This should be public IP (and not FQDN):port. (Default port 4172)
- Validate "Blast External URL". This can be public FQDN with port (Default port 443)
- Tunnel External URL. This also can be configured via FQDN
- For certificate installation go to "Advanced Settings" -> "TLS Server Certificate Settings"
- Here change the certificate from PEM to PFX and upload PFX certificate. We have encounted many different types of error with PEM file, while the same PEM when converted to PFX using:
- openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- was accepted without any issue. Non-working PEM Certificate was valid and formatted as per https://vdijedi.wordpress.com/2020/04/08/how-to-format-certificates-for-use-with-horizon-unified-access-gateways/ Even after adding spaces between ---END CERTIFICATE--- and ---BEGIN CERTIFICATE--- of different certificates in certificate chain as per below links the issue was not solved. Hence use of PFX for importing certificate into UAG is recommended.
- Various errors seen when using PEM are described at:
- https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-F679C363-4B4A-4148-A6B3-21079D957C71.html
- https://www.ssl247.com/kb/ssl-certificates/troubleshooting/tomcat/keytool-error-input-not-x509-certificate-improper-format-of-certificate-java
- Perhaps need to convert PEM to single line format as described at https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html We are better of using PFX then trying to do this conversion.
Refer:
- Openssl For certificate conversion from one format to another
- https://docs.vmware.com/en/Unified-Access-Gateway/3.2.1/com.vmware.uag-321-deploy-config.doc/GUID-1B8665A2-485E-4471-954E-56DB9BA540E9.html
- https://www.virtualizationhowto.com/2020/03/unified-access-gateway-uag-certificate-install/
- https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-59A33B87-B3E9-4A80-9348-1AE841EDF567.html#GUID-59A33B87-B3E9-4A80-9348-1AE841EDF567
<yambe:breadcrumb self="Installing properly recognized public external SSL certificate on UAG">VMWare Horizon|VMWare Horizon</yambe:breadcrumb>
