Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
By default, Unified Access Gateway uses a self-signed TLS server certificate. For production environments, VMware strongly recommends that you replace the default self-signed certificate with a trusted CA-signed certificate for your environment. The procedure to update certificates is outlined in UAG documentation: Update SSL Server Signed Certificates Notes: Both PFX and PEM formats are acceptable, with PEM having an additional need to be in a one-line format: Convert Certificate Files to One-Line PEM Format. When you upload a new cert, it will override the existing one.UAG will auto-restart necessary services on certificate updates, which may impact client connections so this task is best performed during a scheduled maintenance window. Certificate Requirements: The certificate should match the Public FQDN (load balanced) for Unified Access Gateway.Ensure the Private key is included.Include the full certificate chain.In a double-DMZ scenario, the same certificate is needed on both UAG's see Unified Access Gateway Double DMZ Deployment for Horizon - SSL Certificates Tips and Tricks with Powershell Deployment: Configure your certificate file to upload from a mapped drive rather than a direct network path to reduce complexity. Pay close attention to the format of the template for the thumbprint, this is often labelled as the certificate Fingerprints in the certificate properties in most modern browsers. Deploying and Configuring VMware Unified Access Gateway - Configure Horizon Settings ValueExampleproxyDestinationUrlThumbprints proxyDestinationUrlThumbprints=[alg]:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 Note, typically a certificate will display a sha-1 and sha-256 fingerprint in the properties seen via a browser, the certificate signature algorithm will determine active usage. Proxy Certificates: Proxy certificate configurations are typically seen in an environment where you need to align thumbprint values to those stored on the load balancer. These are often needed to ensure the Horizon client has both awareness and trust of intermediate devices - This can also be seen in environments that do not deploy UAG - Connecting to VMware Horizon View desktops with a Horizon Client fails with the error: "Tunnel server presented a certificate that didn't match the expected certificate" (2083612) offers a further breakdown of the issue. https://uagname.example.com will allow you to see the configured certificate for the Horizon Tunnel External URL.https://uagname.example.com:8443 will allow you to see the configured certificate for the BlastExternalUrl. More details on these Proxy Certificate options can be found here: Deploying and Configuring VMware Unified Access Gateway - Configure Horizon Settings Useful Troubleshooting Commands: This command will query the certificate and return details about the signature in use: openssl s_client -connect myuaghostname:8443 < /dev/null 2>/dev/null | openssl x509 -text -in /dev/stdin | grep Signature Curl can also display basic details about a certificate : curl -k -v https://127.0.0.1 -o /dev/null 2>&1 | grep -A 5 "Server certificate" On the shell prompt of a UAG appliance, you can also run the following commands to retrieve details on the existing certificate chains.Checking a 443 bound certificate: openssl pkcs12 -nokeys -info -in /opt/vmware/gateway/certs/esmanager_accesspoint.p12 -passin pass:`cat /opt/vmware/gateway/certs/esmanager_accesspoint.p12.pw` Checking an Admin bound 9443 Certificate: openssl pkcs12 -nokeys -info -in /opt/vmware/gateway/certs/admin_accesspoint.p12 -passin pass:`cat /opt/vmware/gateway/certs/admin_accesspoint.p12.pw` Useful Log Entries: Collecting Logs from the Unified Access Gateway Appliance has details on log location and file purpose if needed.Bsg.log: an unexpected thumbprint on a Blast certificate will be rejected - See the bsg.log extract below: 2022-09-19T13:03:37.867+01:00| blastSocket| W115: Expected thumbprint is: 30:bb:0A:FC:C4:56:79:9A:84:08:3A:44:C4:DF:2F:41:77:B9:9D:E8:35:4A:66:D5:7C:C0:E1:1A:C7:f1:A2:2B 2022-09-19T13:03:37.867+01:00| blastSocket| W115+ Actual thumbprint is: C5:A0:28:DD:C6:07:1B:E6:1E:BA:42:CE:CB:63:4A:37:BB:25:7C:5E:F3:69:E8:9A:92:86:0D:2B:B3:6F:98:7E 2022-09-19T13:03:37.867+01:00| blastSocket| W115: SOCKET 4 (29) Cannot verify target host. audit.log: This will log a "CHANGE=trustedCertificates" log entry when you add the cert 14:41:03,813+0000 INFO: CONFIG_CHANGE: SOURCE_IP_ADDR=<ipv4-adresse>: USERNAME=admin: CHANGE=trustedCertificates: admin.log: These logs will record any potential issues with the certificate upload. 07/13 16:29:39,940+0000[main]WARN service.SettingsService[handleUpdateOrGetSettingsException: 1317]: UAG123: Failed to upload ESManager certificate: Invalid PEM format. Exception message: malformed sequence in RSA private key With this example logline, you can run the commands below to ensure the key is correctly created openssl pkcs12 -in cert.pfx -nokeys -out cert.pemopenssl pkcs12 -in cert.pfx -nodes -nocerts -out key.pemopenssl rsa -in key.pem -check -out keyrsa.pem If the output confirms an invalid format, you can run the command below to the required BEGIN RSA PRIVATE KEY format openssl rsa -in key.pem -out keyrsa.pem Additional Knowledge Base Articles:Unified Access Gateway(UAG): Recovery from a revoked Certificate ERR_CERT_REVOKED (91836)
This is a child article of Unified Access Gateway(UAG): Troubleshooting Resources for Horizon View Integration (92413)