PCoIP TROUBLESHOOTING STEPS: View Connection Server Client Certificates
This article provides a brief list of troubleshooting steps for common issues, it is not intended to be a comprehensive troubleshooting guide. This includes scenarios and detailed troubleshooting steps as follows:
-
Problems uploading VCS certificates to PCoIP Zero Clients
-
Problems authenticating a PCoIP Zero Client to a View Connection Server
-
View Connection Server error
Note: Since PCoIP Zero Clients are secure devices, they have an empty trust store by default. The VCS trusted SSL root certificate must be uploaded to the PCoIP Zero Client. Note in some cases additional certificates may be required such as the intermediate and server certificates.
Scenario 1:
Problems uploading a trusted root certificate for a VCS server to a PCoIP Zero Client
- Is the certificate a .PEM certificate? Convert to PEM if necessary
- Is the certificate less than 6 KB? Separate multiple certificates into separate files if needed
- If you have a GoDaddy root certificate use firmware 4.0.1 or newer
How to convert a SSL certificate to PEM format?
Scenario 2:
Problems authenticating a PCoIP Zero Client to a View Connection server
- Has the trusted root certificate for the VCS been uploaded to the zero client? Check the certificate chain presented by the VCS to identify the root.
- Confirm the certificate is a root certificate - the Issuer and Subject will match.
- Ensure that you are NOT using the PCoIP Root CA - this certificate cannot be used for View Connection Server or IEEE 802.1x authentication.
- If you have uploaded the correct trusted SSL root certificate for the VCS and connections are still not successful, then you may need to upload the root certificate and all intermediate certificates in the VCS trust chain.
- Does the VCS certificate have the Server Authentication Extended Key Usage included? This is required per VMware documentation. Firmware 4.0.1 and newer will only check for a Server Authentication if the Extended Key Usage is defined.
- The browser shows a different certificate chain than what is presented by the VCS. Identify the root certificate presented by the VCS and then find that root in the browser certificate store.
- The VCS trusted root certificate must not contain the private key.
- The VCS may not be presenting the entire certificate chain (ie: a check of the certificate chain does not show a root certificate). Try using a different certificate check utility to determine the name of the root certificate.
- Set the VCS Certificate Check mode to 'Allow' via the MC or AWI. Note this will allow insecure connections from the zero client to VCS, but the VCS connection address will show as HTTP: for both secure and insecure connections.
- If NTP has never been set, then the time validity check will be bypassed. If NTP has been configured, but there is no time available, then the VCS certificate check may fail if the time is more than 1 week grace on the cached time from the last time the NTP server was accessed.
- If you have a certificate that expires after the year 2099 then use firmware 4.0.2 or newer.
Scenario 3:
View Connection Server communication error
- Check that the View Connection Port is not set
- In the PCoIP Zero Client Administrative Web Interface go to Configuration > Session > View Connection Server (or View mode variant) and select the Show Advanced settings to confirm that the Port used is left blank (and not set to 80). By default the port used will be 443 for the required SSL connection check with firmware 4.0.0 and View 5.1 or newer.
Detailed troubleshooting
If the certificate verification fails, review the PCoIP Zero Client logs and search for MGMT_VDMCSI and see why the PCoIP Zero Client does not trust the VCS.
Possible reasons the VCS is not trusted:
05/29/2012, 14:41:37> LVL:2 RC: 0 MGMT_VDMCSI :Trusted result: FAILED
- Self-signed certificate: the PCoIP Zero Client trust store does not contain a copy of the server's certificate or the copy in the trust store includes the private key.
- CA-signed certificate: the PCoIP Zero Client trust store does not contain the right root certificate, or the root certificate contains the private key
- The enterprise CA environment requires that the complete trust chain from the VCS is uploaded to the PCoIP Zero Client (root and all intermediate certificates).
05/29/2012, 14:41:37> LVL:2 RC: 0 MGMT_VDMCSI :Validity result: FAILED
- This test fails when the certificate's Not Valid Before Date is in the future, or its Not Valid After Date is in the past based on the PCoIP Zero Client NTP time (if NTP is not set, this test is skipped)
- The PCoIP Zero Client with NTP configured was moved to a network without NTP, then the client will use the cached time for this test (and might fail). Reset to factory defaults on the client to clear the cached time.
05/29/2012, 14:41:37> LVL:2 RC: 0 MGMT_VDMCSI :Hostname result: FAILED
- The certificate's subject or Subject Alternative Name fields do not include the VCS address that the PCoIP Zero Client is using
05/29/2012, 14:41:37> LVL:2 RC: 0 MGMT_VDMCSI :Key usage result: FAILED
- Check that the certificate has the Server Authentication Extended Key Usage included.