picture of tbs certificates
picture of tbs certificates
Our products range

Generate a CSR for VMWare View 5.0 or under

Attention : This guide only concerns VMWare View versions inferior or equal to 5.0/.

A SSL server certificate is generated by default during the installation of View Connextion server. You can use this certificate to run some tests.
You should replace the default certificate as soon as possible. The default certicate is not signed by a trusted certification authority. The use of non-certified certificates can allow unapproved third parts to intercept the trafic by impersonating your server.

Keytool and openssl are keys and certificates managing tools. Add paths to those tools to the Path variable of your system environment to execute those tools from any repertory of your host

if your organization already has a valid SSL certificate on Microsoft IIS platform, you can use it to replace the default SSL certificate supplied with View Connection Server.

To get a signed certificate from a certification authority, create a certificate request (CSR).

Use of a Microsoft IIS server

  • CSR creation: Create a certificate request forIIS5 or IIS6 and for IIS7
  • Installation of the certificate for IIS5 or IIS6 and for IIS7
  • Exportation of the certificate and its private key: Make a backup copy of the certificate under IIS
  • Configure an instance of View Connection Server or a security server
    To use a new certificate

    To configure a View Connection Server instance or a security server to use a new SSL server certificate, define propertes in the locked.propertie fil on the View Connection Server or security server host.


    Create a self-signed certificate, export an existing Microsoft IIS SSL server certificate or obtain a certificate signed by a certification authority.


    • 1 Copy the Keystore file containing your certificate in the configuration repertory of the SSL gatewayon the View Connection Server or security server host.
      For example: install_directory\VMware\VMware View\Server\sslgateway\conf\keys.p12
    • 2 Add the keyfile and keypass properties to the file in the configuration repertory of the SSL gateway on the View Connection Server or security server host. if the file does not exist, create one.
      a Define the keyfile properties on the keystore file name. If you have exported an existing Microsoft IIS SSL server certificate, define keyfile on the name of your PFX file.
      b Define the keypass properties on the password of your keystore file. If you have exported an existing Microsoft IIS SSL server certificate, define keypass on the the password you used during the certificate exportation.
      For example: keyfile=keys.p12 keypass=MY_PASS 
    • 3 Restart the View Connection Server service or Security Server for the modifications to be taken into account.

Use of Keytool (advised)

Generate a keystore

When you create a keystore for the first time, the first certificate in this file is a self-signed one. later, if you obtain a certificate signed by a certification authority, you import the answer of the certification authority in the the keystore and the self-signed certificate is replaced.


  • 1 Open a command-line interpreter and use keytool to generate a keystore.
    keytool -genkey -keyalg RSA -keysize 2048 -alias vmwareview -keystore [keystorename] -storetype pkcs12

    When keytool asks for your first and last names, enter the fully qualified domain name (FQDN) that the client machines use to connect to the host.
    • View Connection Server instance: enter the fqdn of the View Connection Server host. Enter the fqdn of the proxy.
    • Security server: enter the fqdn of the security server host.
    • View Transfer Server instance: enter the FQDN of the View Transfer Server host.

  • 2 Generate a CSR :
    keytool -certreq -alias vmwareview -keyalg  RSA -file my.csr -keystore [keystorename] -storetype pkcs12

    The CSR is stored in JDK/bin and looks like:


    Copy/paste the content of the my.csr in the order form.

  • 3 when keytool has create the keystore file, make a backup copy of it. Th backup file can be useful if you need to re-create the host configuration.

Install the certificate

After the dministrative audit process, TBS INTERNET sends an email containing a link to your #PKCS7 certificate (example.p7b file). You can also download it from your status page:
-> "see the certificate" -> link "See the PKCS7 certificate"


  • Copy the text file containing your certificate in the repertoriy containing the keystore and save it.

    for example:
    -----BEGIN PKCS7----- 
    zANBgk i7coVx71/lCBOlFmx66NyKlZK5mObgvd2dlnsAP+nnS EhCsdpikSpbtdo18jUubV6z1kQ71CrRQtp
    -----END PKCS7-----
  • open a command-line interpreter and use keytool to import the certificate in your keystore.
    For example:
    keytool -import -keystore [keystorename] -storetype pkcs12 -storepass [example] -keyalg "RSA" -trustcacerts -file certificat.p7b

    N.B: If you get this kind of error : "java.lang.exception: input not an x.509 certificate" it might indicate that your keytool is too old to import #PKCS7 files (.p7b). You'll then have to import your certificate manually in PEM format (.cer), then the certificates of the certification chain one by one.

  • If you specified a temporary certificate, enter yes when you get the message .... is not trusted. Install reply anyway?.
    Keytool generate this message because temporary certificates are not made to be used in a production environment.

  • Configure your View Connection Server, your security ser ver or your View Transfer Server instance to use the certificate. See your software documentation.

External links

VMware View installation guide ( View Manager 4.5 - View Composer 2.5 )