When you receive updated server SSL certificates or intermediate certificates, you import the certificates into a new keystore file and update the locked.properties file on each View Connection Server or security server host to use the new keystore file.

Typically, server certificates expire after 12 months. Root and intermediate certificates expire after 5 or 10 years.

When you import certificates into a keystore file, the keytool command creates the keystore if the specified file does not exist.

The new keystore file must have a different name from the existing keystore file. VMware recommends that you include the expiry date in the file name. For example: keys_2014123.jks.

You must specify a Java keystore file if you import intermediate certificates. If you do not use intermediate certificates, you can specify a PKCS#12 or PFX file instead of a Java keystore (jks) file.

For more information about creating a keystore file and importing server and intermediate certificates into it, see the VMware View Installation document.

Obtain updated server and intermediate certificates from the CA before the currently valid certificates expire.

1

If you use intermediate certificates, import the most recent update to the intermediate certificates into a new keystore file in the same directory as the existing keystore file.

For example: keytool -importcert -keystore keys_20141231.jks -storepass secret -trustcacerts -alias intermediateCA -file intermediateCA.cer

2

Import the most recent update to the server certificate into the new keystore file.

For example: keytool -importcert -keystore keys_20141231.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.p7

3

Edit the keyfile and keypass properties in the locked.properties file on the View Connection Server or security server host.

a

Set the keyfile property to the name of the new keystore file.

For example:

keyfile=keys_20141231.jks
b

If the password for the keystore file has changed, set the keypass property to the new password.

For example:

keypass=NEW_PASS
4

Verify that the storetype property in the locked.properties file matches the type of the keystore file.

Option

Description

PKCS#12 or PFX file

Set the value of storetype to pkcs12.

Java keystore file

Set the value of storetype to jks.

For example:

storetype=jks

You must specify the storetype property for a Java keystore file.

5

Restart the View Connection Server service or Security Server service to make your changes take effect.