I was upgrading my VMware View environment recently from 5.0 to 5.1 and wrote about some initial problems in my article Trouble Recomposing View 5.x Desktops After Upgrade to vSphere 5.0 U2. After I had resolved those initial problems I needed to load my internal Root CA certificate onto all my company’s iPhone’s and iPad’s. This is because one of the big changes or improvements in View 5.1 is with security and you now need trusted certificates in order to connect to any of the desktops. Fortunately there is no need to purchase expensive public certificates if you have an internal corporate PKI / CA’s already configured, unless you want to. This article will show you how you can easily get your iPhones or iPad’s to trust your corporate CA certificates for use with VMware View.
I’ve included images here to explain the process as I think it’s easier to follow. I used one of my iPhones to keep the images reasonably small. To be honest you’re much more likely to be doing this on an iPad. But iPhones are perfectly usable in my opinion provided you have the iPhone to VGA adapters and a Bluetooth Keyboard.
Trying to Connect Without Trusting the Certificate
If you try to connect to a VMware View 5.1 environment using the iOS View Client without first trusting the CA certificate you will receive a message as per the image below:
If you click on View Certificate you will see some details about the untrusted certificate:
There is no way to set your device to trust your CA certificate from this screen. In order for you to get your iPhone or iPad to trust the certificate you will need to follow the process below.
Getting Your iPhone or iPad to Trust Your CA Certificate
1. Obtain a copy of the CA Certs (Root CA and Intermediate CA if used) and email them to your device, such as in the following image:
You’ll notice the attachment in the image above shows a certificate type icon.
2. You now need to tap on the attachment. You will be presented with the following screen:
At this point before continuing to the next step you should click on More Details. You should verify that it is indeed the certificate that you were expecting, it’s form your corporate CA, and that it is valid and should be trusted. Once you are satisfied this is indeed a legitimate certificate that you should trust you continue.
3. Tap Install. You will see the following warning image displayed on the screen:
Because your corporate CA is not a trusted public CA it is not automatically in the trusted list for your devices. This is the reason this warning is being displayed. Provided you are happy with the checks you’ve done in the previous step, after reading this warning you can continue to the next step.
4. Tap Install. You will see the following image displayed on screen:
At this point you need to enter your passcode so that the certificate can be loaded into your devices trust store and be trusted. Once you have entered your passcode successfully you will automatically be at the next step.
5. You have successfully loaded your corporate CA certificate into your devices trust store. You will see the following image displayed on the screen:
Now when you connect using the VMware View Client your Connection Servers certificates, which were signed by your corporate CA, will be trusted and your connections will be successful. If you have more than one CA that needs to be trusted you need to complete these steps for each of the certificates. You can now Tap Done and go back to the VMware View Client and test the connections.
6. Now when connecting to your VMware View Connection Servers or Security Servers an image similar to the following will be displayed on screen:
You can see by the tick on the padlock and the text https being displayed in green that the certificate and connection are trusted. If the connections weren’t trusted you wouldn’t have been able to connect. Enter your username and password and then tap done or go.
7. You will receive the list of entitled desktops similar to the image below and you can no proceed to use your desktops as per normal. This process is complete!
Removing a Certificate From Your iPhone or iPad Trust Store
If for some reason you find out that a certificate has become invalid or has been revoked you will need to remove it from the trust store on your iDevice. To do this is very simple.
1. Tap Settings.
2. Tap General. You will see on the screen something similar to the following:
You can see the profile listed and the name of the CA in this example.
3. Tap Profile. You will see on the screen something similar to the following:
4. Tap Remove. You will see a warning displayed similar to the following:
5. Tap Remove. You will see the passcode dialog box displayed as per the image below.
6. Enter your passcode. You will be returned to the settings screen and you’ll notice as per the image below that the profile has now gone.
You have now completely removed the certificate from your devices trust store. When the new certificates are issued you can go back and follow the process to install them again.
Final Word
As you would expect Apple has made it fairly painless to get this all working. However when it comes to security and trusting certificates great care needs to be taken. You must verify that the certificates that are being sent to you for use are genuine and can be trusted. If for some reason the certificates expire, are revoked or for some other reason invalidated then you need to follow the process to remove the certificates from the trust store and then install the new ones. I hope this has been helpful and that you get hours of productivity out of your VMware View 5.1 vDesktops from your favourite iDevices.
—
This post first appeared on the Long White Virtual Clouds blog at longwhiteclouds.com, by Michael Webster +. Copyright © 2013 – IT Solutions 2000 Ltd and Michael Webster +. All rights reserved. Not to be reproduced for commercial purposes without written permission.
Hey Michael, another nice article, thanks. Are you aware of the Apple iPhone Confg. utility (http://support.apple.com/kb/DL1466)? For multiple iDevice deployments this is probably easier. Have a look here, in particular the SCEP (Simple Certificate Enrollment Protocol) payload section – http://developer.apple.com/library/ios/#featureda…
[…] where we could not connect due to a self signed certificate issue from a screenshot and article Michael Webster wrote about how to install these un-trusted certificates and how to install them. I borrowed his screen shot below with […]
I tried to install a root CA with MD5 signature. While it was successfully installed, it still shows as untrusted. I've read some forums saying that MD5 signatures are unsupported on IOS (iPad)? Is this why it's showing as untrusted?
MD5 is very weak and not supported. You should consider SHA256 or SHA512, SHA1 would be the minimum.
But it is of no importance for root certificates, so this is weird.
Hi,
I have just tried installing Wildcard CA in iPhone 4 using the above procedure, and it's showing Trusted in the Root CA store in iPhone. But when I connect using View Horizon Client it's still showing me the Untrusted View Connection Pop up. Please help.
Hi Mobin, You don't install the wildcard cert in the iPhone you need to install the Root CA cert in the iPhone. Then your View Connection Server will show as trusted.
I've tried with the Root CA and it's still giving me the Untrusted View Connection pop up. In the CA Store it's showing the certificate is Trusted but in the View Horizon Client it's its showing Not Trusted.
Any idea where do you I have to make changes?
In this case it's likely to be a problem with the attributes of the certificate on the connection server. For whatever reason the details returned to your device are not able to be validated / verified. This could happen if it's presenting a different DNS name to your device than it has on the certificate. To address this you may need to add additional subject alternative names to the connection brokers certificate.
[…] Installing Corporate CA Certificates on iPhone or iPad for Use with VMware View […]