Installing properly recognized public external SSL certificate on UAG

Home > VMWare platform > VMWare Horizon > Installing properly recognized public external SSL certificate on UAG

To install properly recognized public external SSL certificate in UAG use following steps:

1. Login into UAG admin interface https://<FQDN>:9443/
2. On the welcome page select "Configure Manually"
3. In the General Settings > Edge Service Settings, click Show.
4. Click the Horizon Settings gearbox icon.
5. Validate "Connection Server URL". UAG should be able to resolve it via its DNS
6. Validate "PCOIP External URL". This should be public IP (and not FQDN):port. (Default port 4172)
7. Validate "Blast External URL". This can be public FQDN with port (Default port 443)
8. Tunnel External URL. This also can be configured via FQDN
9. For certificate installation go to "Advanced Settings" -> "TLS Server Certificate Settings"
10. Here change the certificate from PEM to PFX and upload PFX certificate. We have encounted many different types of error with PEM file, while the same PEM when converted to PFX using:

    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

    was accepted without any issue. Non-working PEM Certificate was valid and formatted as per https://vdijedi.wordpress.com/2020/04/08/how-to-format-certificates-for-use-with-horizon-unified-access-gateways/ Even after adding spaces between ---END CERTIFICATE--- and ---BEGIN CERTIFICATE--- of different certificates in certificate chain as per below links the issue was not solved. Hence use of PFX for importing certificate into UAG is recommended.

    Note that UAG might accept certificate if chain is in wrong order Server -> CA -> Intermediate and services might start also. But web page would be blank. Hence it is critical to ensure that in pfx certificate chain order is Server certificate -> Intermediate -> CA. Refer Openssl to validate order of certificates in pfx by converting to pem and them printing pem certificate subject and issuer.

    Various errors seen when using PEM are described at:

    • https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-F679C363-4B4A-4148-A6B3-21079D957C71.html
    • https://www.ssl247.com/kb/ssl-certificates/troubleshooting/tomcat/keytool-error-input-not-x509-certificate-improper-format-of-certificate-java
    • Perhaps need to convert PEM to single line format as described at https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-870AF51F-AB37-4D6C-B9F5-4BFEB18F11E9.html We are better of using PFX then trying to do this conversion.

Refer:

• Openssl For certificate conversion from one format to another
• https://docs.vmware.com/en/Unified-Access-Gateway/3.2.1/com.vmware.uag-321-deploy-config.doc/GUID-1B8665A2-485E-4471-954E-56DB9BA540E9.html
• https://www.virtualizationhowto.com/2020/03/unified-access-gateway-uag-certificate-install/
• https://docs.vmware.com/en/Unified-Access-Gateway/2012/uag-deploy-config/GUID-59A33B87-B3E9-4A80-9348-1AE841EDF567.html#GUID-59A33B87-B3E9-4A80-9348-1AE841EDF567

Home > VMWare platform > VMWare Horizon > Installing properly recognized public external SSL certificate on UAG