This article describes how to install a trusted SSL Certificate on the VDI-in-a-Box virtual appliance. 

Background

The VDI-in-a-Box appliances ship with a self-signed SSL Certificate that is not trusted by Web browsers and devices. This article describes steps to replace the self-signed SSL Certificate on the VDI-in-a-Box appliance with a trusted SSL Certificate. This can be achieved using the attached script or by following the Manual procedure.

Version 5.3 of VDI-in-a-Box introduced a web-based interface for managing SSL certificates. The web-based interface can be used to create a CSR to submit to a CA. The certificate signed and returned from the CA from the CSR generated from the web-based interface can be imported into VDI-in-a-Box through the Web interface in version 5.3. If a pre-existing trusted certificate is to be imported, then the steps outlined in this article must be used for versions 5.3 and earlier.

Version 5.4 of VDI-in-a-Box introduces the ability to import a pre-existing certificate through the Manage SSL Certificate option in the VDI Management Console. 

Requirements

• VDI-in-a-Box 5.0 or newer server

• Valid SSL Certificate obtained from Trusted Certificate Authority

---

Instructions

Using the Wizard to Import Certificates

1. From VDI-in-a-Box 5.4 or newer, logon to the VDI Management Console.

2. Select the Admin tab.

3. Click Manage SSL Certificate.

4. Select Existing Certificate.

5. Click Upload Cert and navigate to the pre-existing certificate in PKCS12 format.

   

​Using Scripts to Import the Certificates

Before importing the files, refer to the following article to create the SSL certificate for VDI-in-a-Box virtual appliance:
CTX132235 - How to Create SSL Certificate for VDI-in-a-Box Virtual Appliance

Note: For easy access, the script to generate Certificate Request and the script to import the certificates are available in the same zip file.

1. Download and unzip the attached file.

2. Use the SFTP utility (such as FileZilla) to copy the two script files to /home/kvm/kvm directory on the VDI-IN-A-Box appliance.

3. Copy the certificate files (*.crt format) to /home/kvm/kvm/vdimgrkeystore folder.

4. Execute the following command from /home/kvm/kvm folder: 
   ​chmod 777 sslcertimport.sh
   Note: The command cd /home/kvm/kvm ensures that you are in the right place. 

5. Run the script to import the certificates using the following syntax: 
   sh sslcertimport.sh

This imports the certificates into the keystore. Ensure to take a backup of your current keystore and replace it with the new keystore with all your certificates. At the end of the script, Tomcat will be restarted and you should be able to test the Web site using the same FQDN for which you generated the script without any certificate related errors.

Manual Procedure

Importing the SSL Certificate Files

Before importing the files, refer to the following article to create the SSL certificate for VDI-in-a-Box virtual appliance: 
CTX132235 - How to Create SSL Certificate for VDI-in-a-Box Virtual Appliance

1. Use the SFTP utility (such as FileZilla); copy the certificate files back to the /home/kvm/keystore directory on the VDI-in-a-Box virtual appliance.

2. Use the keytool utility to import the intermediate certificate file(s) to the keystore. Replace the chain.crt file with the intermediate certificate file name provided by the Trusted CA (file name will vary):
   ​keytool –import –trustcacerts –alias intermediate –file chain.crt –keystore kmgr.keystore

3. Use the keytool utility to import the root certificate file(s) to the keystore. Replace the chain.crt file with the root certificate file name provided by the Trusted CA (file name will vary):
   keytool –import –trustcacerts –alias root –file chain.crt –keystore kmgr.keystore

4. Type the keystore password when prompted.

5. A ‘Certificate was added to the keystore’ message appears if successful.

   

6. Use the keytool utility to import the public certificate file to the keystore. Replace the kmgr alias with the VDI-in-a-Box server hostname. Replace the kmgr.crt file with the certificate file name sent by the Trusted CA:
   keytool –import –trustcacerts –alias kmgr –file kmgr.crt –keystore kmgr.keystore

7. Type the keystore password when prompted.

8. A ‘Certificate reply was installed in keystore’ message appears if successful, as displayed in the following screen shot:

   

Replacing the Self-Signed SSL Certificate

1. Change to the conf directory:
   cd /home/kvm/kvm/install/servlet_container/conf

2. Backup the default keystore file:
   mv .keystore old.keystore

3. Copy the new keystore file to the conf directory:
   cp /home/kvm/kvm/keystore/kmgr.keystore .keystore

4. Verify that the .keystore and old.keystore files exist:
   ls –al

   

Adding SSL Certificate Password to Configuration

1. Edit the server.xml file using the vi editor:
   sudo vi server.xml

2. Find the clientAuth line by searching:
   /clientAuth=

3. Verify the keystorePass=”password” entry does not already exist in entire 'Define a SSL HTTP/1.1 Connector on port 8443' section. Add the following line, replacing “password” with your keystore password:
   keystorePass=”password”

4. If keystorePass=”changeit” already exists in the section, simply replace the “changeit” with your keystore password.
   Note: Having two keystorePassword lines in the server.xml file might cause Tomcat to fail when starting. Ensure there is only one instance of the keystorePassword.

5. Save and exit vi text editor.

   

Restarting the Tomcat Services

1. Restart Tomcat to use the new SSL certificate:
   tc_start

2. Type the kvm password if prompted:
   kaviza123

Verifying the New SSL Certificate

1. Open any Web browser.

2. Access the VDI-in-a-Box hostname.

   Note: There should not be a certificate warning. Each Web browser is different but there will be either green text or a padlock icon in the Address bar indicating the SSL certificate is valid and the connection is secure.

   

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

This article describes how to install a trusted SSL Certificate on the VDI-in-a-Box virtual appliance.

CTX132235 - How to Create SSL Certificate for VDI-in-a-Box Virtual Appliance