These instructions provide a sample for how to set a self-signed certificate using OpenSSL for Integration Broker.
Procedure
- Create a self-signed certificate for the Integration Broker server.
- Create the ibcerts folder to use as the working directory.
- Create a configuration file using the vi openssl_ext.conf command.
- Copy and paste the following OpenSSL commands into the configuration file.
# openssl x509 extfile params
extensions = extend
[req] # openssl req params
prompt = no
distinguished_name = dn-param
[dn-param] # DN fields
C = US
ST = CA
O = VMware (Dummy Cert)
OU = Horizon Workspace (Dummy Cert)
CN = hostname (Virtual machine hostname where the Integration Broker is installed. )
emailAddress = EMAIL PROTECTED
[extend] # openssl extensions
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
[policy] # certificate policy extension data
Note: Type the CN value before you save the file. - Run this command to generate a private key.
openssl genrsa -des3 -out server.key 1024
- Type the passphrase for server.key, for example, vmware.
- Rename the server.key file to server.key.orig.
mv server.key server.key.orig
- Remove the password associated with the key.
openssl rsa -in server.key.orig -out server.key
- Copy and paste the following OpenSSL commands into the configuration file.
- Create a CSR (certificate signing request) with the generate key. The server.csr is stored in your working directory.
openssl req -new -key server.key -out server.csr -config ./openssl_ext.conf
- Sign the CSR.
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile openssl_ext.conf
The expected output displays.
Signature ok subject=/C=US/ST=CA/O=VMware (Dummy Cert)/OU=Horizon Workspace (Dummy Cert)/CN=w2-hwdog-xa.vmware.com/emailAddress=EMAIL PROTECTED Getting Private key
- Create P12 format.
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
- Press Enter at the prompt for an export password.
Important: Do not enter a password.The expected output is server.p12 file.
- Move the server.p12 file to the Windows machine where Integration Broker is installed.
- From the Command Prompt, type mmc.
- Click File > Add or Remove Snap-ins.
- In the Snap-in window, click Certificates and click Add.
- Select the Computer account radio button.
- Press Enter at the prompt for an export password.
- Import the certificate into the root and personal store certificates.
- Choose All Files in the dialog.
- Select the server.p12 file.
- Click the Exportable check box.
- Leave the password blank.
- Accept the defaults for the subsequent steps.
- Copy the certificate into the Trusted Root CAs in the same mmc console.
- Verify that the content of the certificate includes these elements.
- Private key
- CN in the subject attribute that matches the Integration Broker Host Name
- Extended key usage attribute with both client and server authentication enabled