Using Wildcard Certificates in VMware Horizon Workspace 1.5

When installing VMware’s Workspace 1.5 for the first time, you are asked for a unique FQDN from which Workspace will be accessed. The default will be the gateway appliance, or “”. It will create its own SSL certificates and install them on the rest of the appliances in the vApp.

Changing the FQDN to something more business-appropriate, new SSL certificates are needed. Since this is a Linux based appliance, importing the certificates can get a little complicated. So, here we go. This wasn’t a whole lot of fun the first time.


1.       1. Download and install the OpenSSL tool on a client machine that has access to the configurator-va appliance in the Workspace vApp

2.      2. Primary Certificate (the wildcard), the Intermediate Certificate (SSL provider) and the Trusted Root Certificate (from the SSL provider also)

3.       3. Copy the .crt and .pfx files from your SSL provider to a local folder on the client machine you’ll be working from. Specifically, you’ll need the Access to the configurator-va web GUI

Let’s Cook-

Go to the configurator-va web interface and login. Click the FQDN & SSL link in the left pane. In the SSL Certificate section, click the “Provide Custom” radio button. This will reveal the text fields needed to input the SSL Chain and private Key.

Open the crt files one by one in Word or Notepad. Copy and paste the text based certificates into new text files and save them separately.

Export and Decrypt The Private Key
To export the private key, start the Openssl application via the command line with Administrator privliges. In the command line, navigate to the folder that contains the openssl executable. For my installation, it was c:\Openssl-win32\bin.

Run the command:

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

This will extract the private key to the key.pem file. The filename “key” is just an example and can be named anything. A password may be needed to open the pfx file, it will be the same password used if the pfx was exported at some time via Windows Certificate MMC.

The key.pem file, when opened in a text editor, will have different headers than what Workspace expects. In the Private Key example in the Workspace GUI, there is an RSA header and footer to the file. Removing the passphrase from the private key will reveal the RSA Headers needed to import the key. In openssl, run the following command:

openssl rsa -in key.pem -out server.key

 When opening the server.key file in a text editor, it will be in the correct format with the RSA header and footer. Copy and paste the text version into a text file.

Adding the certificates to the configurator-va:

1. Copy and paste the text versions of the certificates into the SSL Chain box in the following order:

a.       a. Server (Wildcard)

b.      b. SSL provider (Intermediate)

c.       c.Trusted Root

2. Copy and paste the text version of the Private Key, click out of the input field to light up the Save box. Click Save and the configurator will go through and update the SSL on all the appliances.

Once the configurator-va has restarted, the new FQDN will be present. If it isn’t , run through the process again.

Categories: VMware

Tags: , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Brad Hedlund

stuff and nonsense


Every cloud has a silver lining.

Live Virtually

A Storage and Virtualization Blog

Virtualization Team

VMware ESX/ESXi - ESX server - Virtualization - vCloud Director, tutorials, how-to, video

Just another site

VirtualKenneth's Blog - hqVirtual | hire quality

Virtualization Blog focused on VMware Environments


Virtually everything is POSHable

Gabes Virtual World

Your P.I. on virtualization


by Duncan Epping

Wahl Network

Technical Solutions for Technical People

Joking's Blog

Phoenix-based IT guy with too much to say...

%d bloggers like this: