This post was going to be part of my post on how to build a App-V demo lab in Workstation, However as it is a bit long . I decided to split it into its own separate post.
Now in my demo environment I needed to utilise secure channels for App-V traffic over my environment. The main reason for this was that in the real world if you want to allow the potential for secure communication over an Internet Facing Scenario a HTTPS/RSTPS deployment is an absolute security requirement.
Now let me first say that I am not a certificate guru! So please do not shoot the messenger, there will be better ways to set this up in the real world but I wanted to show a step-by-step method on how to get this setup in the test environment.
So lets begin:
Go into Server Manager and right Click on Roles> Add Role.
In the Before you begin Section Click Next, you could check the “skip the page by default” box which will prevent the loading of this form the next time you wish to install a new role.
In the Select Server Role Section Click “Active Directory Certificate Services” Click next.
Next is another nothing form, click Next.
you might ask why need to add the Certificate Authority Web Enrolment , this is so we can add a web page for certificate requests if needed. So select “Certificate Authority Web Enrolment”
When the pop up appears click Add Required Server Role.
Once onto the “Setup Type” I have selected the Enterprise option and click Next.
As this is the first and infact only CA in the environment select Root CA then click Next.
In the “Private Key” section select “create a new private key” and than click Next.
now in the “Configure Cryptography for CA” just set up some basics as shown below.
Next set up your common name for your CA, Click Next Note this is the Certificate for the CA.
Next chose the certificate validity period, for my test environment I have set a 5 year certificate, Click Next.
I left the “Certificate Database” as default, then click Next.
In the “Introduction to IIS” Note-this is just configuring some additions to IIS for certificate requests) and click next.
In the Role Services section click next.
Finally review the configuration changes and click Install
Right of you go and grab a cup of tea or coffee and let the installation take place, once complete click Close.
Now remember that earlier it was mentioned that we would not use the original certificate that we created for the Root CA.
What we need to do now is issue a new certificate for the management server. This is done from the IIS7 Management Console. To do this log into the IIS 7 management console via the administration tools.
In IIS7 select your server in the left hand pane.
Now in the right hand screen you should see a section that says “Server Certificates” . When you select this you will go into the Server Certificates pane.
In this area we want to create a new certificate request, so click create certificate request on the right hand side or right click in the right pane and select create certificate request.
Now in the details of my certificate I am going to set the following.
Common Name: stream.PVM.internal ( This is the DNS name which the clients are pointed too)
Organisation Details: This will depend on your details :o)
Once this is set up click Next, In the Online Certificate Authority Browse and search for your CA, this is what we set up earlier in this blog! and than click Finish!
3) Once that is set up you should be able to see your certificate. In the right hand pane!
Ok that’s the initial set up for the certificates! However we are going to have to come back to this after the Installation of the management server to re-ACL the certificate that we have created for the management server.
One last piece!
We have created a certificate for PVM-App-V.PVM.internal you will also have to add a Alias or CNAME in your DNS forward lookup zone for stream.appv.internal for this to work correctly. So go into DNS and make this one small addition. If you use a CNAME for stream.appv.internal just point it back to your management server machine or Virtual IP address for your NLB Cluster.