The Microsoft certreq utility uses a configuration file to generate a CSR. You must create a configuration file before you can generate the request. Create the file and generate the CSR on the Windows Server computer that hosts the Horizon 7 server that will use the certificate.

1. Open a text editor and paste the following text, including the beginning and ending tags, into the file.

   ;----------------- request.inf ----------------- 
   
   [Version] 
   
   Signature="$Windows NT$" 
   
   [NewRequest]
   
   Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" 
   ; Replace View_Server_FQDN with the FQDN of the Horizon 7 server.
   ; Replace the remaining Subject attributes.  
   KeySpec = 1 
   KeyLength = 2048 
   ; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
   ; of 1024 is also supported, but it is not recommended. 
   HashAlgorithm = SHA256
   ; Algorithms earlier than SHA-2 are insufficiently secure and are not recommended.
   Exportable = TRUE 
   MachineKeySet = TRUE 
   SMIME = False 
   PrivateKeyArchive = FALSE 
   UserProtected = FALSE 
   UseExistingKeySet = FALSE 
   ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
   ProviderType = 12
   RequestType = PKCS10 
   KeyUsage = 0xa0 
   
   [EnhancedKeyUsageExtension] 
   
   OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication 
   
   ;-----------------------------------------------
   
   

   If an extra CR/LF character is added to the Subject = line when you copy and paste the text, delete the CR/LF character.
2. Update the Subject attributes with appropriate values for your Horizon 7 server and deployment.
   For example: CN=dept.company.com
   To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.

   Some CAs do not allow you to use abbreviations for the state attribute.

3. (Optional) Update the Keylength attribute.
   The default value, 2048, is adequate unless you specifically need a different KeyLength size. Many CAs require a minimum value of 2048. Larger key sizes are more secure but have a greater impact on performance.

   A KeyLength of 1024 is also supported, although the National Institute of Standards and Technology (NIST) recommends against keys of this size, as computers continue to become more powerful and can potentially crack stronger encryption.

   Important: Do not generate a KeyLength value under 1024. Horizon Client for Windows will not validate a certificate on a Horizon 7 server that was generated with a KeyLength under 1024, and the Horizon Client devices will fail to connect to Horizon 7. Certificate validations that are performed by Connection Server will also fail, resulting in the affected Horizon 7 servers showing as red in the Horizon Administrator dashboard.
4. Save the file as request.inf.