Self-signed Certificate Creation for the PVS Soap Service
When configuring PVS for streaming Linux desktops, the Linux target devices must be linked to the PVS Soap server via an SSL connection. The CA cert must be present on both the PVS server and the target device. In the PVS Configuration Wizard for 7.12, a new prompt was added to choose the proper certificate from the PVSSoap container, specifically for Linux desktops.
Current documentation states that in order to configure this, the Windows SDK must be installed on the PVS server. The sole purpose of the SDK installation is for the availability of makecert.exe. The installation of an SDK for this purpose is unnecessary and may introduce security vulnerabilities. Furthermore, makecert is now deprecated and has been replaced by the PoSh command New-SelfSignedCertificate.
Using the following PoSh command, it is now possible to create the self-signed certificate without installing the SDK and foregoing the use of makecert.exe:
New-SelfSignedCertificate -Type SSLServerAuthentication -Container PVSSoap -Subject "CN=PVS-01.fqdn" -CertStoreLocation "Cert:\LocalMachine\My" -KeyExportPolicy Exportable
The generated certificate is untrusted and should be imported into the Trusted Root Certificate Authority.
Following the certificate generation using the PoSh script, the certificate prompt in the PVS Configuration Wizard will populate the appropriate certificate. To choose the certificate, click on it and ensure that it is highlighted in blue, and continue through the wizard.