Piszki Lab | EN

My case study in the clouds…

Horizon Workspace: Manual analysis of the certificate chain

| 0 comments

It is the day that I decided to put to the Internet our laboratory installation of Horizon Workspace. I equipped a wildcard certificate issued by Rapid SSL (GeoTrust), created the appropriate chain file and proceeded to action. Of course, in the case of Horizon Workspace nothing is simple when it comes to changing the FQDN and upload new SSL certificates for gateway-va. At the outset, collided with a “Certificate does not chain up to the root.”

ssl1

We look to the log of configurator-va:/opt/vmware/horizon/configuratorinstance/logs/configurator.log

ssl2

To verify the certificate is used verifyCert.hzn script, and after reviewing it turns out that the OpenSSL command is used:

openssl verify-purpose sslserver-CApath / dev / null-CAfile ho.pl ho.pl (ho.pl file is uploaded to my chain temp directory).

We extend the command of the verbose mode and check the result:

ssl3

It turns out that the chain is bad constructed, instead of Rapid SSL CA, I put Geotrust SSL CA. Just fixing the chain and check again:

ssl4

ssl5

We get the message “error 2 at 1 depth lookup: unable to get issuer certificate” which translates to “Error validating custom certificate”. It turns out that there is no further certificate, but how is that possible? The chain is exactly the path:

ssl7

After a moment’s thought, check GeoTrust Global CA certificate and it turns out that this is also a certified intermediary! Chain is as follows:

ssl8

I add a certificate from GeoTrust (Equifax Secure CA) to certificate chain and check again:

ssl6

It works! So the correct chain for a certificate issued in Rapid SLL are:

4. *.pulab.pl

3. RapidSSL CA

2. GeoTrust Global CA

1. GeoTrust

The first time I met up with a situation where Windows gives an incomplete path to the certificate, apparently GeoTrust Global CA is Microsoft’s very high level of confidence.

I recall that the correct certificate chain file structure is as follows:

—–BEGIN CERTIFICATE—–
Thumbprint Server Certificate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Thumbprint Intermediate(2) CA Server
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Thumbprint Intermediate(1) CA Server
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
Thumbprint Root CA Server
—–END CERTIFICATE—–

Was this information is helpful? Tell me, please leave a comment!

Source

Rate this article:
[Total: 1    Average: 1/5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.


.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.