Copy the file(s) to a system that has OpenSSL. If you are on a Windows machine, the easiest way to do this is to use Git for Windows (https://git-scm.com/download/win). Once installed, you can run Git Bash and will have access to OpenSSL. Linux and macOS will likely already have OpenSSL support in Terminal. If you are in a VMware environment, the ESXi hosts also have OpenSSL support.
Obtain the Certificate Password
It is highly likely the .pfx file will contain a password to protect the file. This password is required for the conversion process.
Convert PKCS12 (P12) to Privacy Enhanced Mail (PEM)
PEM files may have either a cer, crt, or pem file extension. These should be interchangeable, but some vendors are very particular about the file extension. Like anything, check the applicable documentation for recommendations.
Most vendors will require three files. Commonly I see the folllowing:
Machine certificate
Signing chain (Look at the vendor documentation for the chaining order! Some vendors require root + intermediates at the bottom and other will require the intermediates + the root at the bottom)
Private key
To get the machine certificate and signing certificates, run the following command:
This occurred for me when upgrading to or installing a new vCenter 7 and replacing the self-signed certificate. I tested in a lab and was able to successfully install both vCenter 7 and Orchestrator 8.3. I was able to successfully configure both appliances and log in, as well. I did use vSphere Authentication as the Orchestrator’s Identity Provider. As soon as I replaced the self-signed certificate on vCenter, I immediately received the following when logging into Orchestrator:
For completeness sake, I am going to show the entire process. Please feel free to scroll to the interesting sections below to resolve. I am not going to show how to deploy the appliances, just that they will be in vSphere and available as a starting point.
Install and Check Services
Installed, configured, and checking the services for a “known good”.
VMware vCenter 7.0
When I navigate to my vCenter appliance, I can see that it is using an untrusted certificate.
I perform the necessary steps to continue on. Your browser may be different and your organization’s policies may be different. If your organization is using HTTP Strict Transport Security (HSTS), you will likely be unable to continue without some very tricky manipulation or replacing the self-signed certificate to a known and trusted certificate. This is likely how or why you are in this predicament in the first place and had to search for this blog post.
The log in window is presented to me.
I verified I was able to successfully log in.
VMware vRealize Orchestrator
Navigate to the Orchestrator 8.3 appliance, I am presented with the following.
Since this appliance is fresh, I need to click on the Start the Control Center link and establish an authentication provider. I have to log in with the root account.
Click on Configure Authentication Provider
On this page, I chose vSphere for the Authentication mode setting and the Host address is my vCenter 7 appliance. I am presented with an Accept Certificate box. This will accept the current self-signed certificate, since that is all that is available. NOTE: You could wait to do this step until after you alter the TLS certificate on vCenter, but this article assumes you did not or that you already had an Orchestrator appliance deployed like I did.
Complete the Identity Service window with an administrative or service account that allows users to be queried. Click Register.
Type in a group to use as an Admin group, I used admins, then click the Search button.
A window will display that allows you to pick a security group based off your search criteria. Click Save Changes.
The Orchestrator appliance will be configuring in the background. This is not a fast process! Click on the home icon and choose Validate Configuration. You will see a message stating that a server restart is required…This will automatically happen after a two minute wait. Please be patient here…
You can continue clicking the Refresh button until you have all green check marks. This signifies the appliance rebooted and all services are back up.
Go back to the vco tab in the browser and choose the START THE ORCHESTRATOR CLIENT link. You should be presented the VMware vSphere log on screen. This signifies that your authentication provider is set up correctly to use vSphere. Try logging in.
I can verify that I can successfully log in without trouble.
Let’s Break This!
Replacing the vCenter Server TLS Certificate in vSphere Client
In my case, I chose to use Replace with external CA certificate(requires private key) option and clicked the Next button.
Add in the machine certificate, the root and intermediate certificates chained together (for the chain, I always start with the root and add the intermediate certificates below), and the private key file. Click the Replace button.
If the certificates are successfully replaced, you should get logged out relatively quickly. Give this a few minutes as the vCenter server services are rebooting in the background.
Click the Login button after a few minutes. You may get a no healthy upstream message. Be patient and refresh your browser periodically, there is a lot going on with these appliances.
Eventually, you should get the vCenter log in screen. You can verify that your vCenter is secured by looking for the lock symbol. Go ahead and log back in to verify you can.
Click the Launch vSphere Client (HTML 5) button. Enter your credentials.
Click the Login button.
You may receive a Error occurred while fetching vmca root cert: com.vmware.vcenter.certificate_authority.get_root message. This just indicates that the vCenter server services are not fully restarted, yet. There may be a running task in Recent Tasks. Once this is complete, the message will go away after you refresh the User Interface (UI) or the browser window. Again, be patient as this may seem like an eternity in computer time or that it is broken, but it should come back up.
Again, be patient as this may seem like an eternity in computer time or that it is broken, but it should come back up.
We can confirm that we have logged in and that the message went away.
VMware vRealize Orchestrator
Ok, let’s try to log into the Orchestrator appliance.
So far, it looks promising. Click on the Start the Orchestrator Client link. Warning: you may actually get logged in. This is most likely due to a cookie on your browser. If you close your browser and try to log in again, you will most likely not be able to log in. That is what we are going to fix.
Enter your credentials and click the Login button.
Et voilà ! There we are for us English speakers, the broken UI that is extremely frustrating to fix.
1. Log in to the vRealize Orchestrator command line as root. (Added) I used an SSH session, but you can do this on the console with VMRC. I just wanted to be able to copy and paste commands.
2. (Added) Obtain the name of the <vRO pod> you will need for the next step.
kubectl -n prelude get pods
3. Run the kubectl -n prelude exec command. (Added) I used the last line from the clue in the example command of vco-server-app. I really did not know and the document does not explain.
A lot of information will scroll past. I am only including a screenshot of the end of the command, again.
7. Log out of the vRealize Orchestrator Appliance by using the exit command and log in again. (Added) If you only type exit here once, you will only exit the rpm command. You actually have to end the SSH session or console. You can type exit a second time to close the SSH session.
8. Run the following deploy.sh commands.
/opt/scripts/deploy.sh --onlyClean
A lot of information will scroll past. I am only including a screenshot of the end of the command. This command will take a few minutes to complete.
/opt/scripts/deploy.sh
A lot of information will scroll past. This command will take even longer to complete than the last command. Notice: if you prematurely end this command, your appliance will likely not be recoverable. Trust me when I tell you this. Learn from my pain…
You may even see messages that state Exit code and + return 0 like the screenshot below.
This is not complete, yet. Keep waiting until you see the following screen. (If you are nervous or impatient, get up and take a walk, this seriously takes a really long time, the appliance is going through a restart as part of this process).
Air Force Reserve Command (AFRC) has been at the forefront of many projects before “Big Blue”. The Desktop Anywhere service not only enables Reserve Air Force Airmen, but more recently enabled “Big Blue” to increase productivity and raise its awareness and use of the service.
Update: I am now retired from the Air Force, but I am still involved with the DoD. This page will not be maintained but please contact me if there are any questions that come up.
Disclaimer 1: I am a Traditional Reservist in the United States Air Force Reserve from the 914th Communications Squadron located in Niagara Falls, NY. My Air Force Specialty Code (AFSC) is 3D072 (Cyber Systems Operations).🤓 When I am not fulfilling my military obligation, I work as a Senior Consultant, Federal for VMware, Inc. Please follow along at your discretion. It is obligatory for me to write that these are my opinions and suggestions and my guidance only. The material provided here is not “Official” USAF or VMware, Inc guidance. Rest assured, what I provide you will likely result in a successfully working configuration, I just don’t want to be reprimanded or fired. 😉
Disclaimer 2: I am using a new and clean installed version of macOS Catalina 10.15.4 on a VMware Fusion virtual machine. While this should not cause any difference from a bare metal installation (like your MacBook or iMac), I wanted to provide full transparency.
Assumptions: If you are reading this, I assume you need a little guidance, but are not such a novice that you won’t know to click an ‘OK’ button, open a web browser, navigate and download programs, or something similar. I will do my best to make this as easy as possible, but within reasonable expectations that you know how to use your computer. If you need further assistance from what’s provided here, please feel free to reach out to me on the the Facebook Group.
Update Your Mac
It is always wise to ensure you are running the newest versions of software, especially your Operating System. I am writing this using Version 10.15.4.
Check with your local unit to see if they can provide you with a card reader. I am unsure the policy at every installation. My unit provided me with a HID OMNIKEY 3121 USB Card Reader. I like this reader because it is well built and Mac friendly.
If you have a different brand of reader, hopefully it will be a truly plug-and-play model, and will not need a driver. Seek out support from your card manufacturer for support if you need it. You can try to navigate through the MilitaryCAC.com family of websites, but I find the site very obtuse to navigate through. Maybe you will have better luck, though.
Downloaded software components for macOS 10.15.4
Keychain Access
The first step is to install and trust the DoD certificates. Open up Keychain Access and verify your current certificates. Make sure you see only one login Keychain. If you have more than one, backup the items from the old Keychain and remove it so that you only have one active. Change the Category to Certificates so that you can see what certificates are currently loaded. If you see any certificates that are expired, you will want to remove them.
Double-click on each file ending in .pem and .p7b. You may be prompted to provide the Keychain you want to add the certificates. Choose your login keychain.
At this point, you should see a lot of DoD-related certificates in Keychain Access. Scroll down until you see the DoD Root CA certificates. You should notice that they have a white x in a red circle. This indicates that they are not trusted.
Double-click on each of the root certificates, expand Trust, and change the When using this certificate:from Use System Defaults to Always Trust. Only do this for the DoD Root CA certificates.
Before changing When using this certificate:After changing When using this certificate:
Close the windows and provide authentication, either password or fingerprint if you have that configured.
Once you trust the four DoD Root CA certificates, the icons should now be white + in a light blue circle. This indicates the certificate is trusted.
This completes the steps necessary to add the DoD certificates to your Keychain Access and trust the DoD Root CA certificates.
VMware Horizon Client – Installation
Double-click on the VMware Horizon Client package file you downloaded earlier. The installer will open to the License Agreement.
Click Agree, then the actual installer will open. Like typical Mac software, drag the VMware Horizon Client icon onto the Applications Shortcut.
There will not be an indicator that the installation completes besides finding the new icon in the Applications menu of your Finder window. You can close the VMware Horizon Client installer utility. Please refer to VMware’s documentation for Release Notes, Known Issues, User Guides, and Installation and Setup Guides found at https://docs.vmware.com/en/VMware-Horizon-Client-for-Mac/index.html
This completes the installation of the VMware Horizon Client.
VMware Horizon Client – Configuration
Double-click the VMware Horizon Client icon. You can find it using a Spotlight Search (command + space bar) or look in the Applications menu in Finder. You should receive a security warning.
Click Open to allow the Horizon Client to open.
Optional: If you want easier access to the VMware Horizon Client in the future, after you open up the software, right-click (or ctrl + click if right-click option is not configured) on the icon in the Dock and choose Options > Keep in Dock.
On the first launch, you should be presented with a window prompting you to Enter the name of the Connection Server.
At the time of this writing, the address for general use is:
afrcdesktops.us.af.mil
Click Connect.
You should receive a Disclaimer window. If you followed the section above about adding and trusting DoD Certificates, you should see the https in green. If you see it in red, this indicates that your certificates are not being trusted.
Click Accept.
You should now see a Login window requesting your certificate.
Choose your non-email certificate and click Continue.
Enter your PIN and click Continue.
At this point, you should now be presented with your entitled Apps. Your entitlements will most likely not be the same as mine.
Click on the Windows 10 SDC 5.5 (or similar desktop if your base has a different image) in order to access your desktop.
This completes the VMware Horizon Client – Configuration section. I am going to include a troubleshooting section below in case there are any issues.
Smart Card Reader – Troubleshooting
Note: the section below is not complete and most likely never will with the way technology changes. I will try to update it as new issues arise.
If you have not connected your reader or plugged in your Common Access Card (CAC), you should receive the following Alert.
If you have connected your reader and plugged in your CAC, but your CAC is not being recognized, you should receive the following Login window.
The above most likely is a result of not having the appropriate driver for your Card Reader. You can test if your Card Reader is detected from the Terminal.
Open Terminal, type:
pcsctest
Once you press Enter, you will (or you won’t) see your card reader listed.
As you can see, my card reader is not being detected. This indicates that I will need to go to the manufacturer’s website and download and install the correct driver. Once I installed and restarted my computer, I re-ran the command in a Terminal.
If you have received any errors at this point, leave your CAC in the reader, close VMware Horizon Client, Restart your computer, and re-open VMware Horizon Client.
Need to replace the certificates with a custom certificate from a commercial or corporate Certificate Authority (CA)? You are going to need a Certificate Signing Request (CSR).
I use the certificate-manager tool (see below) included with vCenter to generate all of my requests. I found recently that you can skip this altogether if you can include the certificate’s key from the CA. In the traditional method, though, you will generate a CSR, submit to CA, and receive back a custom signed certificate.
/usr/lib/vmware-vmca/bin/certificate-manager
Connect to your Platform Services Controller (PSC) via SSH. This could be the same as your vCenter server.
Create a temporary directory to store your files in when you run the certificate-manager tool. Create a directory for each system you intend to generate CSR files for. I use the following format for my directory:
/tmp/hostname1 /tmp/hostname2 ... /tmp/hostnamen
Run the certificate-manager tool:
/usr/lib/vmware-vmca/bin/certificate-manager
Select option 1 to replace the Machine SSL.
Provide the administrator username if the SSO domain is not default or press Enter.
Provide the administrator password.
Select option 1 to Generate Certificate Signing Request(s)…
Provide an Output directory path such as
/tmp/hostname
The next information you will be requested to enter is for the certificate.
