To obtain a signed certificate from a Windows Domain or Enterprise CA, you can use the Windows Certificate Enrollment wizard in the Windows Certificate Store.

This method of requesting a certificate is appropriate if communications between computers remain within your internal domain. For example, obtaining a signed certificate from a Windows Domain CA might be appropriate for server-to-server communications.

If your clients connect to Horizon 7 servers from an external network, request TLS server certificates that are signed by a trusted, third-party CA.


  • Determine the fully qualified domain name (FQDN) that client devices use to connect to the host.

    To comply with VMware security recommendations, use the FQDN, not a simple server name or IP address, even for communications within your internal domain.

  • Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
  • Verify that you have the appropriate credentials to request a certificate that can be issued to a computer or service.


  1. In the MMC window on the Windows Server host, expand the Certificates (local computer) node and select the Personal folder.
  2. From the Action menu, go to All Tasks > Request New Certificate to display the Certificate Enrollment wizard.
  3. Select a Certificate Enrollment Policy.
  4. Select the types of certificates that you want to request, select the Make private key exportable option, and click Enroll.
  5. Click Finish.


The new signed certificate is added to the Personal > Certificates folder in the Windows Certificate Store.

What to do next

  • Verify that the server certificate and certificate chain were imported into the Windows Certificate Store.
  • For a Connection Server instance or security server, modify the certificate friendly name to vdm. See Modify the Certificate Friendly Name.
  • For a View Composer server, bind the new certificate to the port that used by View Composer. See TLS.