Highlighted
robertellis3
1 Nickel

WYSE P20 Certificate Installation Error

WYSE P20 Certificate Installation Error

Hi
We are using WYSE P20 clients in a View 4.6 environment. We are wanting to upgrade to the latest version of VIEW and as a prerequisite, get root certificates working on the WYSE P20.

We are using VIEW within our internal network space only, so the best option for us is to install on to the P20s the root certificate generated by our MS Windows Domain Controller.

We have exported the certificated as both a DER- and/or Base64-encoded .CER file, renamed that file with a .PEM extention and tried to re-apply the Policy to the P20's, but cannot make this work.

The error message we are seeing is as follows:

02/23/2013, 13:17:18> LVL:1 RC:-501 X509_UTIL   validate_pem_cert): Certificate length is not divisible by 4! [len = 1]
02/23/2013, 13:17:18> LVL:1 RC:-501 X509_UTIL   tera_x509_util_is_valid): PEM certificate is invalid!
02/23/2013, 13:17:18> LVL:2 RC: 0 GSOAP :SOAP 1.2 fault: SOAP-ENV:Sender [no subcode]
02/23/2013, 13:17:18> LVL:2 RC: 0 GSOAP :"rootCertificate is invalid!" Detail: [no detail]
02/23/2013, 13:17:18> LVL:0 RC: 12 MGMT_CMI :Error serving SOAP request!

Unfortunately this is a *major* issue for us because it is actively preventing us from upgrading VIEW. If we cannot resolve the issue, we will have no choice other than to dump the P20's altogether and find alternative hardware.

Can anyone advise as to whether there is a working solution for getting "self-signed" (i.e. non-Public) Root certificates working on these devices?

Any advice gratefully received

thx

Robert

Tags (3)
0 Kudos
7 Replies
robertellis3
1 Nickel

RE: WYSE P20 Certificate Installation Error

If anyone has thoughts or can help with this I'd be very grateful. Anyone ??

Tags (1)
0 Kudos
robertellis3
1 Nickel

RE: WYSE P20 Certificate Installation Error

In order to try to troubleshoot this issue, we have:

* Export (from a standard XP Workstation) a VERISign Public Root Certificate in X509 DER format, and tried to apply it to a test P20 unit;
* Export (from a standard XP Workstation) a VERISign Public Root Certificate in X509 Base64 format, and tried to apply it to a test P20 unit;
* Export (from a standard XP Workstation) a VERISign Public Root Certificate in X509 DER format, converted to UTF8 encoding, and tried to apply it to a test P20 unit;
* Export (from a standard XP Workstation) a VERISign Public Root Certificate in X509 Base64 format, converted to UTF8 encoding, and tried to apply it to a test P20 unit.

In all cases, we receive the same error as for using the Root Certificate generated by our Win CA.

So, we are moving toward the conclusion that this is less a problem specific to our Certificate and more of a problem with the P20 units. There is clearly a fundamental flaw if the devices will not successfully upload genuine, public root certificates as issued by the likes VeriSign.

More to follow...

Tags (1)
0 Kudos
robertellis3
1 Nickel

RE: WYSE P20 Certificate Installation Error

Once you upgrade the firmware on your devices to FW 4.0.2, you get an additional option to upload a Certificate through the Web Interface Of the actual device (rather than uploading a certificate to a policy on the management device and then deploying it)

If using the Web Interface of the individual device, the following certificates WILL upload successfully when exported from an XP workstation:

VeriSign Root Certificate X509 Base64
VeriSign Root Certificate X509 Base64 UTF-8

Anything in DER-format will NOT upload.

More to follow...

Tags (3)
0 Kudos
robertellis3
1 Nickel

RE: WYSE P20 Certificate Installation Error

Once you upgrade the firmware on your devices to FW 4.0.2, you get an additional option to upload a Certificate through the Web Interface Of the actual device (rather than uploading a certificate to a policy on the management device and then deploying it)

**A Certificate issued by a Win CA will also upload successfully if exported in Base64 format, provided you upload it on each P20 device individually using the Web Interface **

Tags (2)
0 Kudos
robertellis3
1 Nickel

RE: WYSE P20 Certificate Installation Error

Resolution

If you encounter the error detailed in my OP, here is the resolution

1) Install 4.0.2 Teradici firmware on all your P20's.
2) Install a new PcOIP Management Console. I believe this error is due to some kind of corruption in the Management Console. Scrapping the existing MC and starting over resolved the Issue.

Good luck.

Tags (2)
0 Kudos
forbsy
1 Nickel

RE: WYSE P20 Certificate Installation Error

Quote Originally Posted by robertellis3 View Post

If you encounter the error detailed in my OP, here is the resolution

1) Install 4.0.2 Teradici firmware on all your P20's.
2) Install a new PcOIP Management Console. I believe this error is due to some kind of corruption in the Management Console. Scrapping the existing MC and starting over resolved the Issue.

Good luck.

Hi. I've installed the latest Teradici firmware 4.1.X and uploaded the trusted certificate via the Administrative Web Interface (AWI). I still get the following error:

Failed to connect. The server provided a certificate that is invalid. See below for details: The supplied certificate is not rooted in the device's local certificate store.

It doesn't seem that using the AWI correctly uploads the trusted cert to the device certificate store. I've downloaded and installed the PCoIP Management Console, but don't understand how to use it to properly discover my devices and subsequently upload the cert to the certificate store. Would you be able to supply instructions?

Thanks

Tags (2)
0 Kudos

RE: WYSE P20 Certificate Installation Error

I did get through this issue with robertellis3's solution. To add some details here's what I did.

-On my View Connection Server I went into Internet Explorer -Content - Certificates and exported the following certificates in Base64
Intermediate Cert Authorities certificate from my internal CA
Trusted Root Certification Authorities from my internal CA

-I then renamed the certs with a .PEM extension and uploaded them both to the individual P20 through its own internal web mgmt console.

Just out of curiosity I uploaded the Intermediate cert first and tried to connect and HTTPS was still red and crossed out. I then uploaded the Trusted Root cert and HTTPS is now in green and not x'd out. Thanks much robert!

Tags (2)
0 Kudos