The Microsoft certreq utility uses a configuration file to generate a CSR. You must create a configuration file before you can generate the request. Create the file and generate the CSR on the Windows Server computer that hosts the Horizon 7 server that will use the certificate.
Gather the information that you need to fill out the configuration file. You must know the FQDN of the Horizon 7 server and the organizational unit, organization, city, state, and country to complete the Subject name.
- Open a text editor and paste the following text, including the beginning and ending tags, into the file.
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" ; Replace View_Server_FQDN with the FQDN of the Horizon 7 server. ; Replace the remaining Subject attributes. KeySpec = 1 KeyLength = 2048 ; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength ; of 1024 is also supported, but it is not recommended. HashAlgorithm = SHA256 ; Algorithms earlier than SHA-2 are insufficiently secure and are not recommended. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=22.214.171.124.126.96.36.199.1 ; this is for Server Authentication ;-----------------------------------------------
If an extra CR/LF character is added to the Subject = line when you copy and paste the text, delete the CR/LF character.
- Update the Subject attributes with appropriate values for your Horizon 7 server and deployment.
For example: CN=dept.company.com
To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.
Some CAs do not allow you to use abbreviations for the state attribute.
- (Optional) Update the Keylength attribute.
The default value, 2048, is adequate unless you specifically need a different KeyLength size. Many CAs require a minimum value of 2048. Larger key sizes are more secure but have a greater impact on performance.
A KeyLength of 1024 is also supported, although the National Institute of Standards and Technology (NIST) recommends against keys of this size, as computers continue to become more powerful and can potentially crack stronger encryption.Important:
Do not generate a KeyLength value under 1024. Horizon Client for Windows will not validate a certificate on a Horizon 7 server that was generated with a KeyLength under 1024, and the Horizon Client devices will fail to connect to Horizon 7. Certificate validations that are performed by Connection Server will also fail, resulting in the affected Horizon 7 servers showing as red in the Horizon Administrator dashboard.
- Save the file as request.inf.
What to do next
Generate a CSR from the configuration file.