If you do not already have a certificate authority set up, you must add the Active Directory Certificate Services (AD CS) role to a Windows server and configure the server to be an enterprise CA.

If you do already have an enterprise CA set up, verify that you are using the settings described in this procedure.

You must have at least one enterprise CA, and VMware recommends that you have two for purposes of failover and load balancing. The enrollment server you will create for True SSO communicates with the enterprise CA. If you configure the enrollment server to use multiple enterprise CAs, the enrollment server will alternate between the CAs available. If you install the enrollment server on the same machine that hosts the enterprise CA, you can configure the enrollment server to prefer using the local CA. This configuration is recommended for best performance.

Part of this procedure involves enabling non-persistent certificate processing. By default, certificate processing includes storing a record of each certificate request and issued certificate in the CA database. A sustained high volume of requests increases the CA database growth rate and could consume all available disk space if not monitored. Enabling non-persistent certificate processing can help reduce the CA database growth rate and frequency of database management tasks.


  • Create a Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 virtual machine.
  • Verify that the virtual machine is part of the Active Directory domain for the Horizon 7 deployment.
  • Verify that you are using an IPv4 environment. This feature is currently not supported in an IPv6 environment.
  • Verify that the system has a static IP address.


  1. Log in to the virtual machine operating system as an administrator and start Server Manager.
  2. Select the settings for adding roles.
    Operating System Selections
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    1. Select Add roles and features.
    2. On the Select Installation Type page, select Role-based or feature-based installation.
    3. On the Select Destination Server page, select a server.
    Windows Server 2008 R2
    1. Select Roles in the navigation tree.
    2. Click Add Roles to start the Add Role wizard.
  3. On the Select Server Roles page, select Active Directory Certificate Services.
  4. In the Add Roles and Features wizard, click Add Features, and leave the Include management tools check box selected.
  5. On the Select Features page, accept the defaults.
  6. On the Select Role Services page, select Certification Authority.
  7. Follow the prompts and finish the installation.
  8. When installation is complete, on the Installation Progress page, click the Configure Active Directory Certificate Services on destination server link to open the AD CS Configuration wizard.
  9. On the Credentials page, click Next and complete the AD CS Configuration wizard pages as described in the following table.
    Option Action
    Role Services Select Certification Authority, and click Next (rather than Configure).
    Setup Type Select Enterprise CA.
    CA Type Select Root CA or Subordinate CA. Some enterprises prefer two-tier PKI deployment. For more information, see http://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx.
    Private Key Select Create a new private key.
    Cryptography for CA For hash algorithm, you can select SHA1, SHA256, SHA384, or SHA512. For key length, you can select 1024, 2048, 3072, or 4096.

    VMware recommends a minimum of SHA256 and a 2048 key.

    CA Name Accept the default or change the name.
    Validity Period Accept the default of 5 years.
    Certificate Database Accept the defaults.
  10. On the Confirmation page, click Configure, and when the wizard reports a successful configuration, close the wizard.
  11. Open a command prompt and enter the following command to configure the CA for non-persistent certificate processing:
  12. Enter the following command to ignore offline CRL (certificate revocation list) errors on the CA:
    certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
    This flag is required because the root certificate that True SSO uses will usually be offline, and thus revocation checking will fail, which is expected.
  13. Enter the following commands to restart the service:
    sc stop certsvc
    sc start certsvc

What to do next

Create a certificate template. See Create Certificate Templates Used with True SSO.