Horizon Installation – Replace SSl Certificate

A default TLS server certificate is generated when you install Connection Server instances. You can use the default certificate for testing purposes.

Certificates used for communication between Connection Servers and also between Horizon Agents and Connection Server instances, are replaced using an automatic mechanism, and cannot be replaced manually.

Horizon Connection Server

y default, when you install Connection Server, the installation generates a self-signed certificate for the server. However, the installation uses an existing certificate in the following cases:

  • If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store
  • If you upgrade to VMware Horizon from an earlier release, and a valid Keystore file is configured on the Windows Server computer, the installation extracts the keys and certificates and imports them into the Windows Certificate Store.

Before you add vCenter Server to VMware Horizon in a production environment, make sure that vCenter Server uses certificates that are signed by a CA.

Replace the Self-Sign Certificate

To obtain a signed certificate from a Windows Domain or Enterprise CA, you can use the Windows Certificate Enrollment wizard in the Windows Certificate Store.

Step 01. Determine the Fully Qualified Domain Name (FQDN) that client devices use to connect to the host.

Step 02. Verify that you have the appropriate Credentials to request a certificate that can be issued to a computer or service.

Step 03. In the MMC window on the Windows Server select File > Add/Remove Snap-in > Certificate for the Local Computer.

Step 04. In the MMC expand the Certificates (local computer) node and right-click on the Personal folder and select All Tasks > Request New Certificate. Click Next.

Step 05. Select a Certificate Enrollment Policy.

Step 06. Select the types of certificates that you want to request, select the Properties and in the Private Key tab under the Key Option menu select the Make private key exportable, click OK then click Enroll.

Step 07. Click Finish.

Step 08. The newly signed certificate is added to the Personal > Certificates folder in the Windows Certificate Store.

Step 09. Now, right-click on the Previous certificate (self-sign) and select Properties.

Step 10. In the General tab, modify the Friendly name to any other name except vdm. For example vmd-old. Click OK.

Step 11. Now, right-click on the new Certificate and select Properties.

Step 12. In the General tab, modify the Friendly name to vdm and click OK.

Step 13. Restart the VMware Horizon Connection Server service to make your changes take effect.