Certificate management for PCoIP Zero Clients and PCoIP Remote Workstation Cards
This article provides a high level overview of certificate management for PCoIP Zero Clients and PCoIP Remote Workstation Cards (also known as PCoIP host cards).
Note: PCoIP Zero Clients and PCoIP Remote Workstation Cards are highly secure devices and by default they do not contain any trust store entries other than the base HP Anyware PCoIP root CA certificates.
- PCoIP Root CA
- PCoIP Suite B Root CA
These certificates can't be removed and the private keys are not distributed so they can't be used for View Connection Server or IEEE 802.1x authentication.
Five of the most common certificate management scenarios in a PCoIP protocol deployment are:
-
Installing the PCoIP root CA certificate in browsers used to manage PCoIP devices.
-
Secure firmware upload that's encrypted using 128-bit AES GCM and signed using the pre-installed PCoIP Root CA.
-
Installing a trusted SSL root certificate of the signing CA in the PCoIP Zero Clients for server authentication.
-
Installing IEEE 802.1x certificates in PCoIP Zero Clients or PCoIP Remote Workstation Cards for network authentication.
- Installing a trusted certificate in the PCoIP Zero Client for PCoIP Management Console 2.x and 3.x validation
Installing certificates on PCoIP Zero Client and PCoIP Remote Workstation Cards devices:
You can upload certificates to PCoIP Zero Clients and PCoIP Remote Workstation Cards for connection verification, such as PCoIP Management Console 2.x and 3.x validation, Cloud Access Software, View Connection Server (VCS) authentication and IEEE 802.1x network authentication.
Up to 16 10KB certificates can be uploaded to each PCoIP device (fewer if certificate sizes exceed 6KB); however, only one certificate can be used for IEEE 802.1x network authentication.
Note that VMware View 5.1 default VCS has the certificate check mode to 'Warn' and VMware Ready client certification requires that clients enforce the View Certificate Check which is supported in firmware 4.0.0. So migrating to View 5.1 and firmware 4.0.0 may result in a warning, a red HTTPS: in the VCS address or a blocked connection depending on the View certificate check mode selected and certificate check results. How do I avoid the red "HTTPS" in server address in the Connection Dialog on a PCoIP Zero Client?
1. Obtain the certificate per your organizations requirements.
- Self-signed certificates
- Enterprise implemented certificate authority
- Trusted 3rd party certificate authority
Certificate Examples
- View Connection Server trusted root certificate
- IEEE 802.1x network authentication certificates
Important: Ensure that you select the correct root certificate in the certificate chain presented by the VCS server. It is possible for browsers to show a different certificate chain that what was presented by the VCS. For more information on selecting the correct root certificate, see How to obtain the correct current certificate to upload to the PCoIP Zero Client certificate store in VMware Horizon View environments.
2. Make sure that the certificate is properly formatted.
- Certificates must be in .PEM format and less than 10KB with a total storage limit of 96KB
- View Connection Server certificate
- Per VMware's instructions, the certificate must include the Server Authentication Extended Key Usage
- IEEE 802.1x Network Authentication
- Requires two certificates including a client certificate and server CA root certificate
- 802.1x client certificate must also include a private key that uses RSA encryption
- 802.1x server CA root certificate
3. Convert to PEM certificate (if required).
How to convert a SSL certificate to PEM format?
How do I get a PEM certificate from Windows for IEEE 802.1x Network Authentication?
Note: ensure that a RSA encrypted private key is in the PEM certificate for the IEEE 802.1x client certificate.
4. Upload PEM certificate to zero client.
How do I upload certificates to PCoIP Zero Clients and PCoIP Remote Workstation Cards?
5. Configure Network Authentication (this step is for IEEE 802.1x Network Authentication only).