Securing your Horizon Universal Access Gateway (UAG) with a genuine SSL certificate from a recognised vendor is an important process. It enables your users to be sure they’re connecting to the correct VDI infrastructure, and that the communications between their endpoint and remote desktop are secure.
However, SSL certificates are often not cheap and replacing them can be an administrative burden.
In this post, I will show you how to leverage Let’s Encrypt to provide free SSL certificates, and how the renewal and replacement process can be automated.
Let’s Encrypt is a not-for-profit certificate authority offering free SSL certs valid up to ninety days. Users can renew their certificates any time during this period.
The aim of the service is to reduce complexity and the management overhead of acquiring and installing SSL certificates on servers. To facilitate this, the Automated Certificate Management Environment (ACME) protocol is used to validate domain ownership. This is typically done by placing a file in a web server’s root directory or the creation of a TXT record in the domain’s DNS zone. Third-party add-ons can be used to interface with well-known web and DNS providers such as Amazon Web Services Route 53, which I will be using this in this post.
What we’ll need:
- PowerShell ACME Client (Posh-ACME) by Ryan Bolger
- Authentication method (in this case I’ll be using Route 53 from Amazon Web Services)
- PowerShell script
To enable Posh-ACME to communicate with AWS, we need to create an API key and secret.
Login into the AWS Console and navigate to Route 53. In the following screenshot you can see I have two hosted zones:
Click on Hosted Zones and make a note of your Hosted Zone ID(s):
Navigate to the AWS IAM and select Users, then click Add User. Give the user a name, select Programmatic access and then click Next
Under Set Permissions, click Attach Existing Policies Directly, then click Create Policy. A new window will open. Click the JSON tab and paste in the following:
Remember to replace YOURHOSTEDZONEID with the actual ID of your zone(s).
Click Review Policy, and then give it a name:
Click Create Policy.
Switch back to the original IAM window and click the refresh icon. Filter the policies to find the one you just created and check to select it, then click Next.
Click Next again, followed by Create User. The success screen will appear:
Make a note of the Access Key ID and the Secret Access Key, as you will need these later on.
Replacing the Certificates
The last step in the process is our script. It takes two parameters. The first is the external/public hostname of your UAG(s). This hostname often points to load-balanced address and is backed by more than one UAG.
The second parameter is the list of UAGs you wish to upload the certificate to. The certificate is only applied to the Internet interface, as it is common for the admin interface (on port 9443) to use a different certificate which is typically supplied from an internal CA.
Don’t forget to replace the following variables:
I hope this was useful. Please reach out on Twitter (virtualhobbit) if you have any issues, or more importantly if you can improve the process/script!