By default, the Horizon Agent for Linux installer generates a self-signed certificate for the VMwareBlastServer daemon, which handles communications with clients using the Blast display protocol. To comply with industry or security regulations, you can replace the self-signed certificate for VMwareBlastServer with a certificate that is signed by a Certificate Authority (CA).

  • When the Blast Security Gateway is not enabled on the Horizon Connection Server, VMwareBlastServer presents the default self-signed certificate to the browser that uses HTML Access to connect to the Linux desktop.
  • When the Blast Security Gateway is enabled on the Horizon Connection Server, the Blast Security Gateway presents its certificate to the browser.

To replace the default self-signed certificate for VMwareBlastServer with a CA-signed certificate, you can use one of the following methods.

  • BCFKS keystore: With this method, you use the DeployBlastCert.sh deployment script to store the certificate and private key in an encrypted Bouncy Castle FIPS keystore (BCFKS) in the /etc/vmware/ssl directory.
  • Unencrypted storage: With this method, you manually copy the certificate and private key, without encryption, to the root level of the /etc/vmware/ssl directory.

The VMwareBlastServer daemon first looks in the Linux keyring for the certificate and private key from a BCFKS keystore. If it does not find a BCFKS keystore, it then reads the certificate and private key stored at the root level of /etc/vmware/ssl.

Deploy the VMwareBlastServer CA Certificate to a BCFKS Keystore

Note: This deployment method is supported only with Horizon Agent 2209.x, versions 2209.1 and later. It is not supported with Horizon Agent 2209.0.

The DeployBlastCert.sh deployment script creates a new BCFKS keystore named vmwareblast.bcfks in the /etc/vmware/ssl directory and stores the certificate and private key in this keystore. The information in the keystore is then added to the Linux keyring.

  1. Use the SSLCertName and SSLKeyName configuration options to customize the certificate name and private key name, respectively, as they will appear in the Linux keyring. For more information, see Configuration Options in /etc/vmware/viewagent-custom.conf.
  2. Run the DeployBlastCert.sh deployment script, as shown in the following example.
    sudo /usr/lib/vmware/viewagent/bin/DeployBlastCert.sh -c /root/rui.cert -k /root/rui.key

    Use the following parameter flags for the deployment script:

    Parameter Flag Description
    -c Specifies the CA-signed certificate file.
    -k Specifies the private key file.

Deploy the VMwareBlastServer CA Certificate to Unencrypted Storage

  1. Add the private key and the CA-signed certificate to /etc/vmware/ssl.
    1. Rename the private key to rui.key and the certificate to rui.crt.
    2. Set read and executable permissions on /etc/vmware/ssl.
      sudo chmod 550 /etc/vmware/ssl
    3. Copy rui.key and rui.crt to /etc/vmware/ssl.
    4. Remove executable permissions on /etc/vmware/ssl.
      chmod 440 /etc/vmware/ssl
  2. Install the root and intermediate CA certificates into the Linux OS Certificate Authority store.

    For information about other system settings that must be changed to support the CA certificate chain, refer to the documentation for your Linux distribution.