Using Self Certified SSL Certificates Paul Fisher Systems Consultant paul.fisher@quest.com Quest Software Desktop Virtualisation Group Quest Software (UK) Limited Ascot House Maidenhead Office Park Westacott Way Littlewick Green Maidenhead Berks SL6 3QQ www.quest.com www.vworkspace.com
2008 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 USA Web Site: www.quest.com Email: legal@quest.com Refer to our Web site for regional and international office information. TRADEMARKS Quest, Quest Software, the Quest Software logo, Quest Software Provision Networks Division, Quest Software Provision Networks Division logo, Provision Networks, Virtual Access Suite (VAS), VAS Connection Broker, VAS Password Manager, Web-IT, Secure-IT are trademarks and registered trademarks of Quest Software, Inc. Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. 2
Contents Overview... 4 Creating the Self Signed SSL Certificate (Windows 2003)... 5 Exporting the Certificate for Use... 9 Exporting with the private Key (For SSL Gateway)... 9 Exporting with no private Key (For SSL Gateway and Client devices)... 10 Installing the Certificates on the SSL Gateway... 12 Root Certificate Installation... 12 Personal Certificate Installation... 13 Installing the Certificate on the Client Device... 17 Root Certificate Installation... 17 3
Overview This document describes the process of creating a Self Signed Secure Sockets Layer (SSL) certificate and using it with the Quest SSL Gateway for vworkspace. The SSL Gateway enables clients to access the vworkspace Web Access client using https and then connect to their published desktops and applications using RDP over SSL. The SSL Gateway is designed to simplify the deployment of applications over the Internet, securely and cost-effectively. Self-Signed SSL certificates are only recommended for testing purposes and not for production environments. This is because of the inconvenience and added complexity for the end users. The process is done on Windows 2003, as of yet I have not successfully configured an SSL certificate on a Windows 2008 machine that works successfully with vworkspace's SSL Gateway. RDP connections are SSL-encrypted at client workstations and sent through the corporate firewall on TCP port 443. Once received by the SSL Gateway, the data is decrypted and forwarded to the destination virtual machine on TCP port 3389. Outbound RDP traffic passing through the SSL Gateway is encrypted and forwarded to the client workstation. The SSL Gateway can also be used with Web Access. The web browser requests destined to the Web Access server are SSL encrypted at the client workstations and sent through the corporate firewall on TCP port 443. Once received by the SSL Gateway, the data is decrypted and forwarded to the destination Web Access server on TCP port 80. Outbound responses from the Web Access server passing through the SSL Gateway are encrypted and forwarded to the client s web browser. The SSL Gateway provides secure access The SSL Gateway is included in all licensing and is not an additional extra. Using a self-signed SSL certificate is not recommended for production environments due to the added process of installing the certificate on each client that needs to connect. It is useful for proof of concepts or trail installations. Basic Steps: 1. Create SSL certificate with SelfSSL 2. Export certificate (x2) 3. Install certificate on SSL Gateway Server (with Key) 4. Install certificate into Root certificates on SSL Gateway Server (no key) 5. Install certificate into Root certificates on Client Device (no key) 4
Creating the Self Signed SSL Certificate (Windows 2003) Download the IIS 6.0 Toolkit and install onto your Windows 2003 Web Server (IIS) Run the SelfSSL command prompt. http://support.microsoft.com/kb/840671 Enter the following command at the prompt changing the values where appropriate selfssl.exe /N:CN=remote.domainname.com /K:1024 /V:365 /S:1 /P:443 /N:CN should be your fully qualified domain name 5
/K:1024 This is the key size and should not be altered /V:365 is how many days the certificate is valid for. /S:1 This is the site in which the SSL certificate will be created on /P:443 This is the port number that will be configured on the Website It is important to note that you do not need the SSL certificate on the IIS Website its self. The Quest SSL Gateway services will handle the SSL encryption. Therefore once the certificate above has been created and applied to the Website the first thing to do is remove it. To remove the SSL certificate from open the IIS management console, right click on the Default WebSite and select properties. Select the Directory Security tab. In the secure communications section click the Server Certificate Click Next and then choose Remove Certificate 6
Click Next > Next > Finish. Then select the Web Site tab and clear the SSL Port. It should be blank. Click Apply. 7
Next we need to modify the friendly name of the certificate. To do this open a MMC console by clicking Start > Run and type mmc and press Enter. In the MMC console click File > Add / Remove Snap-in. Click Add and select Certificates followed by selecting the Computer Account. Click Next and Ok Expand Certificates > Personal > Certificate. Right click on the new listed certificate and select properties. In the Friendly name field enter the fully qualified domain name, e.g. remote.domainname.com. (Shown below) Note: This must match the same fully qualified domain name entered when creating the certificate with selfssl.exe. 8
Exporting the Certificate for Use We need to export the certificate and install it on both the SSL gateway and any client devices you want to test from. To do this we need to export the certificate twice, with and without the private key. Exporting with the private Key (For SSL Gateway) Within the MMC console right click on your newly created certificate. Select All Tasks > Export 9
Click Next and then select Yes, export the private key shown below. Click next and leave everything as default Click next and enter a password. Click next and save the.pfx e.g. ssl_withkey.pfx Exporting with no private Key (For SSL Gateway and Client devices) Within the MMC console right click on your newly created certificate. Select All Tasks > Export 10
Click Next and then select No, do not export the Private Key shown below. Select Next and except the defaults Click next and save the.cer file e.g. ssl_nokey.cer 11
Installing the Certificates on the SSL Gateway Root Certificate Installation Open and add the certificates to the MMC snap in on the SSL Gateway server expand the certificates node and expand the Trusted Root Certification Authorities. Right click on the Certificates folder and select All Tasks > Import. Browse to the certificate (.cer file) which does not contain the private key. 12
Ensure that the certificate is placed in the Trusted Root Certification Authorities on the following screen. Click Next > Finish. Ensure that the friendly name is set once imported. Personal Certificate Installation If your Web Access server (installed under IIS) is also doubling up as the SSL gateway you will not to do this step and install the.pfx certificate, it will have already been created from the SelfSSL.exe process. If this is a separate server to the server your ran SelfSSL on then you need to import the certificate with the private key into the Computer Account Personal Certification Store. 13
Open and add the certificates to the MMC snap in on the SSL Gateway server expand the certificates node and expand the Personal. Right click on the Certificates folder and select All Tasks > Import. Browse to the certificate (.pfx file) which does contain the private key. You will need to change the file type in the open file window. 14
Enter the password and select the Mark this key as exportable, then click next Confirm the key is being placed in the Personal Store Click Next > Finish Confirm the friendly name is set for the certificate after importing. The certificate will be available to select from the SSL Gateway control panel application. 15
16
Installing the Certificate on the Client Device Root Certificate Installation Open and add the certificates to the MMC snap in on the SSL Gateway server expand the certificates node and expand the Trusted Root Certification Authorities. Right click on the Certificates folder and select All Tasks > Import. Browse to the certificate (.cer file) which does not contain the private key. 17
Ensure that the certificate is placed in the Trusted Root Certification Authorities on the following screen. Click Next > Finish. Ensure that the friendly name is set once imported. Note: You can add this certificate in the download section of Web Access to make accessing it for installation easier. 18