Replacing a Self-Signed Certificate on vCenter 7.x +

Purpose:

Demonstration on how to replace the self-signed certificate on VMware vCenter.

Introduction:

Having valid certificates is not only crucial today and going forward, it has been crucial for the last few years as well. Having valid certificates not only ensures that a certain security posture being maintained, it removes any unsightly certificate warnings that make various products unfriendly to use for the administrators/engineers/architects.

I recently made a transition from Nutanix Community Edition (CE) to VMware vSphere in my home lab due to upgrade issues with the most recent release of CE. VMware vSphere 7.x and above resolved an issue where the NIC in an Intel NUC 10 was not detecting during installation and the driver needed to be sideloaded before CE could be installed. This is a continuation of my blog series where I take a focus in on security from a virtualization standpoint. Here is a similar themed blog about how to replace the self-signed certificate in Nutanix Prism Element and Prosim Central.

Today we will talk about how to replace the certificate on vCenter and how significantly easier it has become to do so. Before I start, I am going to preface this that process only applies to VMware vCenter 7.0 and above at the time of this writing. If folks are still running a vCenter 6.5 or 6.7 this will not work there as the process is completely different. Also this not only affects Citrix, it affects VMware Horizon and any other solutions that integrate into vCenter.

How many of us have in the past or even today check the box on this message to acknowledge and trust the self-signed certificate in an on-prem or cloud based full Citrix Studio?

Most of us probably click through it without second thinking why  the warning applies or also just wave it off as “that is not my problem and it is the vSphere team’s problem”. While it may be the vSphere teams problem, security should be a concern from all IT folks as there are always ways that system compromises can easily be fixed if there was a security first mentality. In addition to this, replacing the certificate will remove the warning from vCenter when folks use the vCenter web console. 

In vCenter 7.0 and above it is very easy to replace the certificate so that the warning never even pops up when establishing the Hosting connection string from Studio. 

Configuration Steps:

First we will need to create a certificate, in my case I will be using a domain certificate authority (CA). A certificate from a 3rd party well trusted CA can also be configured in this manner as well. 

I find it easier to generate the CSR on the vCenter and later will have some interesting issues from generating the CSR elsewhere.

Go to vCenter and login as administrator@vsphere.local (this is the only account that has permissions to change the certificate management) On the Top, go to Menu -> Administration

On the left pane -> Click Certificate Management

Under Actions -> Click Generate Certificate Signing Request (CSR)

Fill out the information appropriately -> Click Next

Copy or Download the CSR -> Click Finish

Open a browser and go to https://domainca.fqdn.com/certsrv replacing with your domainca FQDN. In my case it is domain1.domain.lab. -> Click Request a Certificate

Click Advanced Certificate Request

Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file

Copy and paste the contents of the CSR file generated earlier into the large field -> Select the appropriate certificate template -> Click Submit

After submitting the certificate may be pending if the CA is configured for approval (as such in my lab). Get the proper approval to issue the certificate

After approval go back to https://domainca.fqdn.com/certsrv -> Click View the Status of a Pending Certificate Request

Click on the Request from earlier -> Click on the Request

Select Base64 encoded -> Download the Certificate

Save with to a location where it can be accessed with an appropriate name –> Click Save

The domain CA’s root and intermediate certificates are required to be exported as .cer as well. In my case, these can be found on the domain controller under Certificate Manager for the Local Machine -> Trusted Root Certificate Authorities Certificates.

Back on vCenter -> Administration -> Certificate Management we need to import the Root and intermediate certificates so that the cert is trusted. -> Click Add

Browse to the root cert -> Click Add

After adding, there are now multiple Trusted Root Certificates

For the Machine Cert section Click Action -> Import and Replace Certificate

Select Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded) as the CSR was generated on the vCenter -> Click Next

On the first field -> Click Browse File and select the certificate that the Domain CA issued. On the second field -> Click Browse File and select the domain CA root certificate that was exported. If there are both root and intermediate certificates they may need to be combined in notepad –> Click Next

vCenter Services will automatically restart which will take a few minutes. It is common to get this message as services are restarted.

When vCenter is back and ready log back in and go to the Certificate Management section. The Machine cert should have an updated expiration date. Track that date and make sure to repeat the process again before the certificate expires to ensure everything continues to run smoothly for any services that integrate with vCenter.

There also are no longer certificate warnings when going to the vSphere web client and when the certificate is viewed, it is the appropriate certificate

The Hosting section in Studio connects to vCenter without a warning now as well.

If you tried to generate the CSR outside of vCenter and went through the process of generating the certificate. You could get this error like I did. There really isn’t a reason why the character was invalid but this is why I recommend generating the CSR on vCenter.

Conclusion:

VMware has made it significantly easier to replace the certificate in vSphere 7.x then it was in 6.x. It makes it almost a no-brainer to do this in my opinion. We didn't need to incure any additional costs as the certificate was generated from a domain CA, but this process would work if you need to get a signed certificate from a third party CA. If we take an overall approoach of focusing in on security in each layer of the infrastructure, we significantly improve the security posture of the entire environment and eliminate as many security flaws in the environment as possible.

We would like to hear from you so feel free to drop us a note if you have any questions.

Johnny @mrjohnnyma

8.7.3

Don't Use Your Physical Image in Your Virtual Environment

Are you using SCCM, WDS or other deployment tools or have been asked to when deploying your virtual desktops or virtual application servers? If so, there can be some serious issues with this. I am often asked about by folks wanting to deploy Citrix or VMware Horizon images using the same image that is used for physical endpoints. Not only is this a bad idea, it can present performance ramifications and also make it so that best practices are not followed.

I always have been a believer that hand building the operating systems for virtual desktops and application delivery servers is the best approach because it ensures we know what went into the image. I understand the grips of manually installing the applications and the extra work but the extra work now can save a lot of headaches later and the reason of "this is how we build out images" is not a good enough reason to justify using the same image in the virtual environment.  Often and in most cases the deployment person and the virtual desktop environment are not the same person. They build images on physical endpoints or on a completely different hypervisor, they never optimize the image and just let things fly. Since these are physical endpoints they have dedicated hardware and rarely if ever do they experience any issues from being unoptimized. In the datacenter, on a virtual desktop or an application delivery server which share host resources with other virtual machines we need to optimize things as much as possible.

Here are two examples of recent environments where there were issues with using SCCM to deploy the same image as physical endpoints:

1. First was in the medical field and the customer wanted to move from persistent Windows 10 desktops to pooled non-persistent virtual desktops as the administrative overhead of having a persistent desktop and having to administer the desktops with deployment tools was not feasible. Also, when presented with justifying the need of having a persistent desktop pool and having the response be “that is how we have deployed it before” there really was no reason to have it. When it came time to build the Windows 10 non-persistent image, the customer completely disregarded my suggestion on building the Windows 10 base image by hand and used WDS to deploy the “standard” image that is deployed on physical endpoints. The end result was that a known bug in the image in which the start menu stopped responding to left clicks. This bug also existed on physical endpoints but was hacked around by copying profiles over the default profile but when this was done on the non-persistent desktop image, it caused Citrix Profile Management to create temp profiles on each login. After countless days of the customer trying to remediate this, the only successful way to do so was to break out the iso and install the operating system by hand and manually installing the applications and everything is functioning correctly. 
2. A second example of this was a large law firm migrating from an on-prem Citrix environment to VMware Workspace ONE. When it came time to build their images for the RDS Linked Clone pool they stressed a need to use an existing task sequence that was built for Windows 10 and force it to target a Window Server 2016 operating system. The issue here is that applications were installed before the RDS Session Host role was installed afterwards. It has commonly been a known and best practice for RDS Session Hosts servers that the RDS Session Host role to be installed prior to installing applications due to the need to potentially capture applications settings into the RDS shadow key. In this environment, there are small abnormalities in application behavior even today due to the incorrect installation sequence.

Long story short, when building the images for your virtual desktops and application delivery servers be careful how you approach this. As the common adage is "you can’t build a house on a bad foundation" and doing things incorrectly could lead to a bad user experience.

Johnny @mrjohnnyma

XenApp and XenDesktop 7.15 Plus

Citrix released the second Long Term Service Release (LTSR) in the company's history on August 15, 2017. This was a hallmark release in our mind because it closed nearly every feature gap of the wildly successful XenApp 6.5 release. At the same time, it was built on the new Flexcast Management Architecture (FMA) which provided customers with much in terms of choice and security.

Our ambitious plan for this article is to detail the new features and enhancements of each of the quarterly Current Releases (CR). In order to make this more readable, we are putting the full details including things like embedded videos into a separate post. Consider this a living document that will be updated over time to create a single searchable list. Check back here as we add the rest of the Current Releases. Please drop us a comment if we missed something.


Brian @sagelikebrian and Josh @virtualjoshespi

Releases

Released February 27, 2019 - End of Life August 27, 2019 Citrix Docs | Citrix Product Lifecycle Matrix | Find more details at XenApp and XenDesktop 7.17 User eXperience: High Definition compression support for 64-bit webcam applications. Watermark your desktop or app independent of the endpoint with this new controller and VDA. My Summit 2018 article has an image of a watermark on a Chromebook (SageLike.com). Webcam compression for 64-bit applications like Skype, GoToMeeting, and others on VDA. NVENC hardware encoding in combination with codec for actively changing regions supported in VDA with NVIDIA GPUs. ThinWire now includes higher compression (~15%) MDRLE encoding which replaces 2DRLE on supported VDAs. "What's New with Workspace in February 2018" has more details (Citrix Blogs). Linux support for Pascal GPUs, pass through authentication with smart cards, dynamic keyboard layout synchronization, adaptive transport (Citrix Blogs). Show or hide the remote language bar Admin eXperience: Azure Managed Disks to be used automatically by MCS starting with this controller. Federated Authentications Services now stores info in an embedded database versus the registry. Controller improvements to double-hop scenarios (launching apps in a published desktop). If the app is available in the desktop it will launch it as local vs a new session.  Read "Session Sharing Between a Published Desktop and a Published App Made Easy" (Citrix Blogs) for more information including making this work on previous versions. Content redirection blacklist supported on VDA. Also, a new controller policy to prevent failback to server render. Director now supports PIV smart card authentication. Session Recording improvements to event logging (Citrix Blogs). Deprecation and Platform Support: StoreFront support for TLS 1.0 and 1.1 protocols between XenApp and XenDesktop and Citrix Receiver and Citrix Workspace Hub (see CTX232266.
Released November 28, 2017 - End of Life May 28, 2018 Citrix Docs | Citrix Product Lifecycle Matrix | Find more details at SageLike.com XenApp and XenDesktop 7.16 User eXperience: High Definition webcam support. Expanded tablet mode in Windows 10 using Windows Continuum. Adaptive transport enhancement. By default, adaptive transport is now enabled (Preferred), and EDT is used when possible, with fallback to TCP. Browser content redirection. Redirects the contents of a web browser to a client device with a corresponding browser embedded within the Citrix Receiver. See (Citrix Docs) for more information. HDX H.265 encoding. Requires an NVIDIA GPU. Read more, "H.265 Encoding Now Available for XenDesktop Using NVIDIA GPUs" (Citrix Blogs). Requires Receiver for Windows 4.10 and must be enabled. Requires a Platinum license. Unicode keyboard mapping. Without the registry setting, if a user changes the local and the server keyboard layouts, the keyboards might not be in sync and character output is wrong. Admin eXperience: HDX 3D Pro is detected automatically during VDA setup. MCS support for on-demand provisioning with Azure Resource Manager. Support for App-V 5.0 deployment configuration files in single admin method and support for shortcuts in App-V packages. Access Monitor Service data uses version 4 of the OData API. Shadow Linux user sessions running RHEL 7.3 or Ubuntu 16.04. Director connects via noVNC. HDX Insight integration of a new NSAP virtual channel. Nick, from Citrix Consulting, is calling this integration, "HDX Insight 2.0" (Citrix Blogs). Applications analytics added to Director. It provides a consolidated view of the health and usage of all published applications. It shows metrics like the number of instances per application and faults and errors associated with the applications. Deprecation and Platform Support: VDA desktop OS support: Windows 10 1607 or newer. For support of older operating systems (Windows 7, Windows 8) use the 7.15 VDA. VDA server OS support: Windows Server 2012 R2, Windows Server 2016 (also supports server VDI). For support of older operating systems (Winddows Server 2008 R2, Windows Server 2012) use the 7.15 VDA.

XenApp and XenDesktop 7.17

Released February 27, 2018 - End of Life August 27, 2019

Citrix Docs and Product Lifecycle Matrix

To see all Current Release features since the last Long Term Service Release (7.15 LTSR) see XenApp and XenDesktop 7.15 Plus

User Xperience:

• Watermark your desktop or app independent of the endpoint with this new controller and VDA. My Summit 2018 article has an image of a watermark on a Chromebook (SageLike.com).
• Webcam compression for 64-bit applications like Skype, GoToMeeting, and others on VDA.
• NVENC hardware encoding in combination with codec for actively changing regions supported in VDA with NVIDIA GPUs.
• ThinWire now includes higher compression (~15%) MDRLE encoding which replaces 2DRLE on supported VDAs. "What's New with Workspace in February 2018" has more details (Citrix Blogs).
• Linux support for Pascal GPUs, pass through authentication with smart cards, dynamic keyboard layout synchronization, adaptive transport (Citrix Blogs).
• Show or hide the remote language bar

Admin Xperience:

• Azure Managed Disks to be used automatically by MCS starting with this controller.
• Federated Authentications Services now stores info in an embedded database versus the registry.
• Controller improvements to double-hop scenarios (launching apps in a published desktop). If the app is available in the desktop it will launch it as local vs a new session.  Read "Session Sharing Between a Published Desktop and a Published App Made Easy" (Citrix Blogs) for more information including making this work on previous versions.
• Content redirection blacklist supported on VDA. Also, a new controller policy to prevent failback to server render.
• Director now supports PIV smart card authentication.
• Session Recording improvements to event logging (Citrix Blogs).

Deprecation and Platform Support:

• StoreFront support for TLS 1.0 and 1.1 protocols between XenApp and XenDesktop and Citrix Receiver and Citrix Workspace Hub removed (see CTX232266).

XenApp and XenDesktop 7.16

Released November 28, 2017 - End of Life May 28, 2018

Citrix Docs and Product Lifecycle Matrix

User eXperience:

• High Definition webcam support.
• Expanded tablet mode in Windows 10 using Windows Continuum.
• Adaptive transport enhancement. By default, adaptive transport is enabled (Preferred), and EDT is used when possible, with fallback to TCP.
• Browser content redirection. Redirects the contents of a web browser to a client device with a corresponding browser embedded within the Citrix Receiver. See (Citrix Docs) for more information.
• "H.265 Encoding Now Available for XenDesktop Using NVIDIA GPUs" (Citrix Blogs). Requires Receiver for Windows 4.10 and must be enabled.  If the GPU at the endpoint does not support H.265 decoding using the DXVA interface, the Citrix Receiver for Windows H.265 Decoding for graphics policy setting is ignored and the session falls back to using the H.264 video codec.  Requires a Platinum license. See Receiver 4.10 for more information (Citrix Docs).
• Unicode keyboard mapping. Without the registry setting, if a user changes the local and the server keyboard layouts, the keyboards might not be in sync and character output is wrong.

Admin eXperience:

• HDX 3D Pro is detected automatically during VDA setup.
• MCS support for on-demand provisioning with Azure Resource Manager.
• Support for App-V 5.0 deployment configuration files in single admin method and support for shortcuts in App-V packages.
• Access Monitor Service data uses version 4 of the OData API.
• Shadow Linux user sessions running RHEL 7.3 or Ubuntu 16.04. Director connects via noVNC.
• HDX Insight improvement.  Integration of the new NSAP virtual channel. Nick, from Citrix Consulting, is calling this, "HDX Insight 2.0" (Citrix Blogs) but 7.17 recommended (CTX239748).
• Applications analytics in Director. It provides a consolidated view of the health and usage of all published applications. It shows metrics like the number of instances per application and faults and errors associated with the applications. Requires Delivery Controller version 7.16 or later and VDA version 7.15 or newer.

Deprecation and Platform Support:

• VDA desktop OS support: Windows 10 1607 or newer. For support of older operating systems (Windows 7, Windows 8) use the 7.15 VDA.
• VDA server OS support: Windows Server 2012 R2, Windows Server 2016 (also supports server VDI). For support of older operating systems (Winddows Server 2008 R2, Windows Server 2012) use the 7.15 VDA.

Citrix Posters and Diagrams

My Citrix journey started about a decade ago.  I was lucky enough to work with some really great people to get me started.  These mentors helped me with the "what".  Building a farm and publishing applications were great but I really wanted to understand the "how".  Where did NetScaler end and Web Interface begin?  What really happened after a user put in their credentials and click, "Log On".  I eventually figured it out using a combination of Citrix Docs, Google, late nights and fixing broken environments.

If I had to learn this all over again in 2019, I would start with an Instructor-Led Training class or eLearning (training.citrix.com).  Spending hundreds of hours learning on the job could have been shortcutted with a class.  Both of these options will probably cost you or your organization money.  Money that in hindsight would have been worth it in my opinion. Maybe the money or the time is not in the cards right now, so let's move on to a great alternative with a lower price point 😏.

Citrix is making posters and diagrams for a variety of solutions.  Allen (Twitter) announced the roadmap for these reference architectures in, "What's ahead for Citrix reference architectures" (Citrix Blogs).  I use the Virtual Apps and Desktops on-prem poster each and every week when talking to customers.  It helps guide me through any of the following:

• Virtual desktop models
• 5 layers of a VAD deployment
• User authentication and resource enumeration*
• HDX technologies
• ICA protocol
• Networking traffic and ports
• Session launch*

Last week I sent a customer a link to the posters on techzone.citrix.com and he replied back with the image below.  It got a lot of attention when I posted it on Twitter.  Anyone have a plotter so I can get one for my office?

A customer sent me this after I told them that https://t.co/tycJmor3Cu (design) has the newest Virtual Apps and Desktop posters. This should help him wrap up his documentation, check it out. Thanks, @MartinZugec and @djfeller pic.twitter.com/FlmyD0rwee

— Brian Olsen (@sagelikebrian) May 14, 2019

Brian @sagelikebrian


See also:
Brian's monthly article on important things in the world of apps, applications, and micro apps that we call TheAppFactory. Use the widgets at the left to have this site delivered to your RSS feed reader or by email.

Citrix Product Editions 2019

In the summer of 2018, Citrix set out on the most ambitious rebranding of products arguably since changing Presentation Server into XenApp. You can read more about it in a previous SageLike.com article, "Citrix Product Names 2019".

At the same time this happened, product editions also were changed.  On one hand, if old editions are engrained in your memory (like me) then it could cause confusion. On the other hand, the new editions have also been unified across solutions so all teams will be speaking the same language.

There is also the reality that the old editions will live on as they are hardcoded into software created pre-summer 2018.  It would be most noticeable in an old license server version but keep this into consideration if you are doing an upgrade.

Here is the breakdown for the old and new edition names.  Please note, the edition names are the same for both virtualization and networking solutions.

Citrix Virtual Apps and Desktops

Standard	Advanced	Premium
Standard	Enterprise	Platinum
		For the newest information, always check out (Citrix.com)

Citrix ADC

Standard 500 universal licenses*	Advanced 1000 universal licenses*	Premium unlimited universal licenses*
Standard 5 univeral licenses	Enterprise 5 universal licenses	Platinum 100 universal licenses
* requires firmware 11.1 build 49.16 released September 2016 (FAQs)		For the newest information, always check out (Citrix.com)

2018 also saw the creation of new bundles that combine brand new solutions with existing offerings.  Today, there are three Workspace editions that combine some of the solutions above with new offerings like Access Control and Analytics.

Citrix Workspace

Standard	Premium	Premium Plus
		For the newest information, always check out (Citrix.com)

Brian @sagelikebrian


See also:
"Citrix Product Names 2019" (SageLike.com)