You must configure the TLS/SSL Certificates for Unified Access Gateway appliances. TLS/SSL is required for client connections to Unified Access Gateway appliances. Client-facing Unified Access Gateway appliances and intermediate servers that terminate TLS/SSL connections require TLS/SSL server certificates.

TLS/SSL server certificates are signed by a Certificate Authority (CA). A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.

Note: Configuring the TLS/SSL certificates for the Unified Access Gateway appliance applies to Horizon and Web Reverse Proxy only.

A default TLS/SSL server certificate is generated when you deploy a Unified Access Gateway appliance. For production environments, VMware recommends that you replace the default certificate as soon as possible. The default certificate is not signed by a trusted CA. Use the default certificate only in a non-production environment.

VMware recommends to use an RSA key based certificate for TLS server. Certificate and the private key can be provided as PKCS12/PFX keystore or as a separate private key and certificate chain files in PEM format.

To convert a PKCS12/PFX to certificate chain file in PEM format, run the following openssl command:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
To convert a PKCS12/PFX to private key file in PEM format, run the following openssl command:
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem
When providing the certificate and key in PEM format, the private key must be in PKCS1 format. To convert the private key from PKCS8 to PKCS1 (from BEGIN PRIVATE KEY format to BEGIN RSA PRIVATE KEY format), run the following openssl command:
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem

TLS Server Certificate Settings in the Admin UI

  1. In the Configure Manually section of the UAG Admin console, click Select.
  2. In the Advanced Settings > Identity Bridging Settings section, select the TLS Server Certificate Settings gearbox icon.

    Admin and Internet certificate details are shown.

  3. Click the gearbox icon to modify the certificate.
  4. Select the interface to apply the certificate, either the Admin, Internet, or both.
  5. Select the certificate type, PEM or PFX

    For PEM, select the private key and certificate chain.

    For PFX, select the PFX certificate to upload, and enter the PFX password and alias.

  6. Click Save.