Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
After importing a third-party SSL certificate, the View Administrator portal does not load.The VMware View Security Gateway Component service starts but stops later.In the Connection Server Event logs, you see the entry: The VMware View Security Gateway Component service terminated unexpectedly When attempting to log in to the Horizon View Administrator portal, you may see an SSL error or a 404 in the Browser. ssl_error_no_cypher_overlap Connections to virtual desktops using the View software client or HTML5 fail.
We strongly recommend using Certreq to generate and install Certificates for Horizon View. Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View (2032400) - This article outlines the process step-by-step with a sample template request.inf file to accelerate the process. Issues can arise when utilizing alternate methods to generate and import the certificate. This article provides steps to examine the certificate to ensure a correctly imported certificate.The process ensures that the certificate has a private exportable key that Horizon View can use to encrypt traffic over HTTPS. This is a child article of the following: Troubleshooting SSL certificate issues in VMware Horizon
If the private key contained within the certificate is not exportable.If a certificate is not imported into the server where the original request was generated.The Connection server cannot read the certificate private key due to a operating system issue.A Private key can also be inaccessible due to a permissions issue with its location, even if exportable (for example, if the certificate is accidentally moved to a different folder)
Restarting your connection server may potentially disrupt client connections and ongoing provisioning tasks.When replacing a cert, you can split the task into 2 phases.Non-Disruptive: Import of the cert and verification of criteria, placing emphasis on the exportability of the key. Disruptive: A maintenance window where you pause provisioning tasks and ensure clients are aware to allow you time to change the old cert Friendly name to "backup", rename the new cert, restart the Horizon Server, and then test client and admin page accessibility after the restart.
Steps to validate if the private key is marked as exportable: In the Connection Server, click Start, type MMC, and click OK.Click File > Add/Remove Snap-in.Click Certificates and click Add.Click the Computer account and click Next.Click Local computer and click Finish > OK.Expand Certificates (Local Computer).Expand Personal.Expand Certificates.Identify the Certificate in use.Double-click the Certificate. On the General page, you see that You have a private key that corresponds to this certificate message.Click the Details tab and click Copy to File.Click Next in the pop-up window.You will see two options on the next page: If the "Yes, export the private Key" option is grayed out, The Private Key is not exportable. To resolve this issue, import the original .pfx file to the intended connection broker or security server.This file should have a padlock icon on it to signify a key is present. If the key is not exportable after re-import, please regenerate the cert If the private key is present, please continue and confirm that the export process completes and is successful. Export Steps: Export the certificate by clicking Action > All Tasks > Export. ensuring to tick the option to export the private key. Note: Export including the private key. If the export process fails, generate a new cert to resolve this issue.Right-click the Personal > Certificates folder and select All Tasks > Import.Note: When importing the certificate, ensure that you select the checkbox to make the certificate Exportable. This is a requirement for VMware Horizon.Restart the View Connection Server.Test logging into the View Administration page.
Revert to the default horizon certificate and perform a server restart to regain console access. This can act as confirmation that the issue is focused on the certificate.
For Certificate Authority (CA) signed certificates, you must specify an exportable private key in your CSR, or during the CAs enrollment process. Some CA certificates have an exportable private key by default. Consult your CA if you are not sure.Configuring Certificates in HorizonHow to file a Support Request in Customer ConnectUsing Microsoft Certreq to generate signed SSL certificates in VMware Horizon ViewHorizon View 接続サーバまたはセキュリティ サーバへの接続が SSL エラーで失敗する与 Horizon View 连接服务器或安全服务器的连接失败并出现 SSL 错误