How to replace the SSL certificate used by the vSpace Console Server

How to replace the SSL certificate used by the vSpace Console Server

Scope

Starting with vSpace Pro Enterprise (version 12.8.0 and higher), it supports the use of custom TLS/SSL certificates used by the vSpace Console.
The NComputing vSpace Console Server service (running as the CMServer.exe process) is a component of vSpace Manager which provides to vSpace Consoles a central database of manageable devices, device groups, and networks. In vSpace deployments consisting of single vSpace Manager and multiple connected vSpace Servers, the vSpace Console Server makes the devices discovered as well as networks or groups created by any vSpace Console accessible by all other vSpace Consoles running on vSpace Servers connected to the same vSpace Manager. The vSpace Consoles establish TLS connections to vSpace Console Server. The vSpace Console Server, by default, presents a built-in self-signed TLS/SSL certificate to connecting Consoles. The procedure described in this article can be used to replace the built-in self-signed TLS/SSL certificate with a certificate signed by a Certification Authority trusted by the vSpace Servers running the vSpace Consoles.

The default certificate exposed by NComputing vSpace Console Server service (as well as its corresponding private key) are embedded in the service’s code. However, when the service starts, it checks its installation directory (the “C:\Program Files\NComputing\vSpace Manager Software\cmserver” by default) for the presence of the “cert.pem” and “priv.key” files. These files should contain the certificate and the unencrypted private key, accordingly, both in Base64-encoded (PEM) format. If found, the vSpace Console Server service will load them and use them for the TLS instead of the default built-in certificate and private key.

Customers who prefer not to use the self-signed built-in certificate can replace the certificate and the private key with a certificate signed by a trusted Certification Authority.

Two certificate acquisition paths are described in this article:
  1. For vSpace Manager servers joined to Active Directory: requesting the certificate from Certification Authority integrated with Active Directory.
  2. For vSpace Managers servers not joined to Active Directory: creating the certificate signing request for signing by any Certification Authority.

Summary

This article describes in detail the following procedure:


Requesting a server certificate on vSpace Manager servers joined to Active Directory with integrated Certification Authority

If the vSpace Server running the vSpace Manager and the vSpace Servers (where the vSpace Consoles will be started) are members of an Active Directory domain, the easiest way to generate a new certificate is to use the ‘Certificates’ snap-in of the Microsoft Management Console. It can be started by typing ‘Certificates’ in Windows search bar and selecting ‘Manage computer certificates’ (not to be confused with ‘Manage user certificates’). The local computer ‘Certificates’ snap-in can also be started through the “certlm.msc” command entered in the search bar or Command Prompt. 

Note: Administrator permissions are necessary to request machine certificates for the Local Computer account through the ‘Certificates’ snap-in.

To request a new certificate from Certification Authority integrated with Active Directory:
  1. In the Certificates snap-in, select CertificatesLocal Computer > Personal
  2. Right-click the Personal store and select All Tasks > Request New Certificate
  1. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
  2. On the Select Certificate Enrollment Policy page, click Next to accept the default Active Directory Enrollment Policy.
  3. On the Request Certificates page, select the Computer certificate template. Expand the Details of the Computer certificate template, and click the Properties button. 
  1. On the Private Key tab of the Certificate Properties dialog, expand the Key options and select the Make private key exportable checkbox. Do not change any other certificate properties. Click the OK button.
  1. On the Request Certificates page of the Certificate Enrollment Wizard, click the Enroll button to begin the certificate enrollment process. Generating the certificate will take few seconds. 
  2. Click the Finish button to close the Certificate Enrollment Wizard. The newly created certificate will appear in the Certificates folder of the Personal certificate store. 

Requesting a server certificate on vSpace Manager servers not joined to Active Directory

If the vSpace Server running the vSpace Manager is not member of an Active Directory domain, the ‘Certificates’ snap-in of the Microsoft Management Console can be used to create the private key and the Certificate Signing Request, which then must be sent to some external Certification Authority for signing. Signed certificate matching the private key created together with the signing request will be returned from the CA after request verification. 

The ‘Certificates’ snap-in can be started by typing ‘Certificates’ in Windows search bar and selecting ‘Manage computer certificates’ (not to be confused with ‘Manage user certificates’). The local computer ‘Certificates’ snap-in can also be started through the “certlm.msc” command entered in the search bar or Command Prompt. 

Note: Administrator permissions are necessary to request machine certificates for the Local Computer account through the ‘Certificates’ snap-in.
To create new certificate signing request:
  1. In the Certificates snap-in, select CertificatesLocal Computer > Personal
  2. Right-click the Personal store and select All Tasks > Advanced Operations > Create Custom Request…

  1. On the Before You Begin page of the Certificate Enrollment Wizard, click Next.
  2. On the Select Certificate Enrollment Policy page, under Custom Request, select Proceed without enrollment policy and click Next.
  3. On the Custom Request page, leave the default selections (No template and PKCS #10 request format), and click Next.
  4. On the Certificate Information page, expand the Details of the custom request and click the Properties button.

  5. On the Subject tab of the Certificate Properties dialog:
  1. Select the Common name as the Type in the Subject name box and enter the fully qualified name of the vSpace Manager host in the Value field,
  2. Click the Add > button,
  3. In the Alternative name box, select DNS as the Type, enter the same fully qualified host name into the Value field,
  4. Click the corresponding Add > button.

  1. On the Extensions tab of the Certificate Properties dialog:
  1. Expand the Key usage settings,
  2. Add the Digital signature and Key encipherment options to the Selected options list,
  3. Select the Make these key usages critical checkbox,
  4. Expand the Extended Key Usage settings,
  5. Add the Server Authentication and Client Authentication options to the Selected options list.

  1. On the Private Key tab of the Certificate Properties dialog:
  1. Expand the Key options,
  2. Select your desired private Key size,
  3. Select the Make private key exportable checkbox.
  4. Click the OK button to save the settings and close the Certificate Properties dialog.
  5. On the Certificate Information page of the Certificate Enrollment Wizard, click Next.
  6. On the Where do you want to save the offline request page:
  7. Enter the path and name of the request (.req) file to be saved. This file will contain the certificate signing request, which will have to be sent to a Certification Authority for reviewal and signing. 
  8. Select Base64 as File format.
  9. Click Next.
  10. Click the Finish button to create the request file and complete the Wizard.

Creating signed certificate from certificate signing request

The certificate signing process depends on the type of Certification Authority. The steps below describe the process for Windows-based Certification Authority. 
  1. Copy the certificate signing request (.req) file to the Windows Server machine running the Certification Authority.
  2. In Windows Command Prompt of a user who is permitted to request certificates on the CA machine, execute the following command:
    certreq -attrib "CertificateTemplate:webserver" -submit "path\to\certsignrequest.req"
  1. From the Certification Authority List, select your Certification Authority and click the OK button.
  2. The certificate signing process will take a few seconds. When the Save Certificate window appears, select the directory and name for the signed certificate file to be saved.

Importing the signed certificate to Personal certificate store of Local Computer account

Even though the signed certificate returned by the Certification Authority will most likely already be in the required Base64 (PEM) format, the certificate will have to be imported anyway to the Personal certificate store of the Local Computer account on the machine where the certificate signing request was created. This is because the private key is also stored in this certificate store and the private key can only be exported (as described in the next section of this document) together with its certificate.

To import the signed certificate:
  1. Open the ‘Certificates’ snap-in of the Microsoft Management Console by typing ‘Certificates’ in Windows search bar and selecting ‘Manage computer certificates’ (not to be confused with ‘Manage user certificates’) or run the “certlm.msc” command from the search bar or Command Prompt. 
    Note: Administrator permissions are necessary to request machine certificates for the Local Computer account through the ‘Certificates’ snap-in.
  2. Right-click the Certificates - Local Computer > Personal certificate store and select All tasks > Import

  1. On the Welcome page of the Certificate Import Wizard, click the Next button to accept the default Local Machine store location.
  2. On the File to Import page, select the file with the signed certificate returned by the Certification Authority and click the Next button.
  3. On the Certificate Store page, select the Place all certificates in the following store radio button and select the Personal store. Click the Next button.
  4. On the Completing page of the Certificate Import Wizard, click the Finish button to import the signed certificate.
Now you have both: the private key (generated when creating the certificate signing request) and the certificate (signed by an external Certification Authority) in the Personal certificate store of Local Computer account and can proceed with the certificate and private key export, as described in the next section.

Exporting the certificate and the private key into separate files

To be able to extract the certificate and the private key into separate Base64/PEM files, the newly created or imported certificate first needs to export into a personal information exchange (PKCS #12) file. 
To export the certificate into a PKCS #12 file:
  1. Open the ‘Certificates’ snap-in of the Microsoft Management Console by typing ‘Certificates’ in Windows search bar and selecting ‘Manage computer certificates’ (not to be confused with ‘Manage user certificates’) or run the “certlm.msc” command from the search bar or Command Prompt. 
    Note: Administrator permissions are necessary to request machine certificates for the Local Computer account through the ‘Certificates’ snap-in.
  1. Open the Certificates - Local Computer > Personal > Certificates folder.
  2. Right-click the newly created or imported certificate, and select All Tasks > Export

  1. On the Welcome to Certificate Export Wizard page, click Next.
  2. On the Export Private Key page, select Yes, export the private key radio-button and click Next.
  3. On the Export File Format page, select the Personal Information ExchangePKCS #12 (.PFX) radio-button and keep the default selections for all other checkboxes. Click Next.
  4. On the Security page, select the Password checkbox and enter your password to encrypt the private key. Write down the password for further use. Select the TripleDES-SHA1 Encryption option and click Next.
  5. On the File to Export page, enter the path and name of the .PFX file to be exported. This file will contain the computer certificate with its password-protected private key. Write down the file name and path for further use. Click Next.
  6. On the Completing the Certificate Export page, click Finish.

Extracting the certificate and the private key from the .PFX file

The .PFX file exported in previous steps contains the server certificate signed by the Certification Authority as well as the corresponding private key. These two components must be extracted and saved into separate files in Base64-encoded (PEM) format to make them usable by the NComputing vSpace Console Server service. The extraction process can be performed on Windows with the commands from PowerShell PSPKI module or on any system platform with the openssl command.

Extracting the certificate and private key files with PowerShell on Windows

In Windows search bar or in Command Prompt, enter PowerShell to start Windows PowerShell.
If not yet installed, run the following command from PowerShell command prompt to install the PSPKI PowerShell module:
Install-Module PSPKI

Press [Y] when asked whether you want to install modules from an untrusted repository. Also, if asked, accept the installation of necessary dependencies.
After installation, to make the module cmdlets available for users, import the PSPKI module:
Import-Module PSPKI

Use following command to extract the certificate and private key into Base64-encoded file:
Convert-PfxToPem -InputFile "\path\to\exported\certificate.pfx" -OutputFile "\path\to\extracted\cert.pem"

When asked, provide the password which has been set when exporting the .PFX file. The extracted file will contain the certificate and private key. 

Note: As the extracted private key will be unencrypted, it’s advisable to extract the files into a directory which is not accessible by unpermitted users.

Copy the extracted “cert.pem” file to “priv.key” file.
Open the “cert.pem” file in Notepad and remove the part of the file between (and including) the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines. Only leave the part starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----.
E.g.:
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIKYTsAfQABAAAAwzANBgkqhkiG9w0BAQsFADBGMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZuYy1oZHgxFTATBgNV
BAMTDG5jLWhkeC1EQy1DQTAeFw0yNDA1MTMwOTM5MzFaFw0yNTA1MTMwOTM5MzFa
MCAxHjAcBgNVBAMTFVZTUy0yMDIyLm5jLWhkeC5sb2NhbDCCASIwDQYJKoZIhvcN
...
-----END CERTIFICATE-----

Open the “priv.key” file in Notepad and remove the part of the file between (and including) the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Only leave the part starting with -----BEGIN PRIVATE KEY----- and ending with -----END PRIVATE KEY-----.
E.g.:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDlnYZxyKNch1r4
ElHRhC3qTew/l/ssOA6xTEQiFqLDSwU50ig5q2M0Rlyodb+vGYrUkbxnv9XanRld
fG5j4Ys4EX0fBIQBzMaT4f1s8eWLfos/EQQ5fLW+1jne98f+KftUG5RvTlG5FYVn
QlAZ++JKWkApTmCRk2IK2VKHFqDsgrshy0tXkpDfLK2Nwe2LKPqoDji2OYDegEXI
...
-----END PRIVATE KEY-----

Extracting the certificate and private key files with openssl on Linux

Transfer (with WinSCP or similar tool) the exported .PFX file into a Linux system and open a shell session there (e.g., connect via SSH with the PuTTY or any other SSH client). 
If not yet installed, install the openssl toolkit using distribution-specific package management tool (apt, yum, etc.)
Use following commands to extract the certificate and the private key into Base64-encoded “cert.pem” and “priv.key” files:
openssl pkcs12 -in /path/to/exported/certificate.pfx -out /path/to/extracted/cert.pem -nokeys

openssl pkcs12 -in /path/to/exported/certificate.pfx -out /path/to/extracted/priv.key -nodes -nocerts

When asked, provide the password which has been set when exporting the .PFX file.
Transfer the extracted “cert.pem” and the “priv.key” files back to the vSpace Manager machine.

Configuring the NComputing vSpace Console Server service to use custom certificate

To configure the NComputing vSpace Console Server service to use the custom certificate instead of the built-in one, the extracted certificate and unencrypted private key files need to be copied into the installation folder of the vSpace Console Server service. By default, it is: “C:\Program Files\NComputing\vSpace Manager Software\cmserver”. Copy the “cert.pem” and “priv.key” files into the installation folder of vSpace Console Server. As the private key file contains an unencrypted private key, appropriate security settings should be set on the “priv.key” file to prevent unauthorized users from accessing the file. 

To set the file access permissions: 
  1. Select the “priv.key” copied to the installation folder of the vSpace Console Server service, right-click it, and click the Properties option to open the priv.key Properties dialog.
  2. On the Security tab, click the Advanced button.
  3. On the Permissions tab of the Advanced Security Settings for priv.key dialog, click the Disable inheritance button:

  4. In the Block inheritance dialog, select the Remove all inherited permissions from this object option.
  5. Click the OK button to apply the changes and to close the Advanced Security Settings for priv.key dialog.
  6. Click Yes to confirm the change and to close the Windows Security warning. Upon this, no users no groups will have permission to access the “priv.key” file.
  7. In the priv.key Properties dialog, click the Edit… button.
  8. In the Permissions for priv.key dialog, click the Add… button.
  9. In the Select Users or Groups dialog, click the Locations… button. 
  10. In the Locations dialog, select the topmost node representing the local computer (labeled with the computer name) and click the OK button.
  11. In the Enter the object names to select input area of the Select Users or Groups dialog, enter: “system; administrators” (without quotation marks) and click the Check Names button. The entered names should change to “SYSTEM; COMPNAME\Administrators” (where COMPNAME will be set to your vSpace Server name).

  12. Click the OK button to apply the changes and close the dialog. 
  13. For both added user groups, grant the Full control permissions:

  14. Click the OK button to apply the changes and to close the dialog.
  15. Click the OK button to close the priv.key Properties dialog.
With the above, only the members of the Administrators group and the local System account will have access to the “priv.key” file.

Restarting the NComputing vSpace Console Server service to start using the new certificate

In the Services snap-in (services.msc) of Microsoft Management Console, restart the NComputing vSpace Console Server service (listed as NC vSpace Console Server) or reboot the vSpace Server running the vSpace Manager to wrap-up the configuration process. If the certificate and private key creation and extraction process was performed correctly, upon restart, the NComputing vSpace Console Server service will present to the connecting clients the new certificate. 

To revert to the built-in self-signed SSL certificate, just remove the “cert.pem” and “priv.key” files from the CMServer.exe installation folder and restart the service or reboot the machine again.

    • Related Articles

    • SSL Certificate/Certification Security Enabling

      Product Line:  VERDE Question From a Customer: I have been asked about encryption using HTML (SSL certificates) or securing sessions from remote locations teleworkers using ncomputing thin clients. I need to enable SSL for our environment.   We have ...

    • SSL Certificate Back Out Procedure

      Product Line: VERDE There have been instances where a customer has used and imported an invalid SSL Certificate. This can be easily backed out. Simply access the VERDE server that's running the Cluster Master. SSH/Putty into the server and access the ...

    • How to add or replace the Self-Signed SSL Certificate in PMC

      Scope If your local business or production environment’s security demands for you to have custom certificates, there is a way to obtain them and apply them to PMC. Note that NComputing does not provide the certificates, but you can obtain your own ...

    • What is vSpace Console?

      vSpace Console is the new admin console where the admin can centrally manage vSpace Server deployment, monitor and control user sessions, and perform device management. The vSpace Console has been redesigned from the ground up to replace the ...

    • Resetting the vSpace Console Password

      "Classic Versions" like vSpace 6 will be permanently discontinued after June 30th, 2020.   Please upgrade promptly to our latest platform  vSpace Pro.  If you are using version 6 because of terminals that are not compatible with vSpace Pro 11 or ...