Certificate error after migrating windows CA
After a colleague of mine migrated a Windows 2008 CA server to a new Windows 2012 R2 server the Connection Servers in Horizon View Administrator Dashboard went to state red. Whereas the status showed:
Connection Server certificate is not trusted and the SSL Certificate showed:
Server's certificate cannot be checked. The certificate of each Connection Servers worked fine after migration, just in dashboard the state was red.
The source of the problem is the Certificate Revocation List (CRL) within the existing certificates. Because the previous used CA server didn’t host the CA anymore, the CRL couldn’t be accessed using the link – that points to this non-existing CA – in the certificate.
As far as I found out, there are two options to solve the problem:
- Re-create the Connection Server certificate(s) using the new CA server.
- Creating the registry key
CertificateRevocationCheckType(string) on the Connection Servers (Take care there is no blank at the end!) in
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Security. More information about this key you can find here. In short: CRL is not checked any more.
The first option works without restarting anything. In option two you have to restart the Connection Server service.
But the behavior of solving this issue is a little bit odd! Because when you solve the issue on just one Connection Server to check if it works, nothing changes. All Servers stay red. You have to solve the issue on every Connection Server to get all states green at once. Good to know: that you are able to solve the issue on different Server using a different option, as long all Servers issues’s are solved.