If your organization does not provide you with an TLS server certificate, you must request a new certificate that is signed by a CA.

You can use several methods to obtain a new signed certificate. For example, you can use the Microsoft certreq utility to generate a Certificate Signing Request (CSR) and submit a certificate request to a CA.

See the Scenarios for Setting Up TLS Certificates for Horizon document for an example that shows you how to use certreq to accomplish this task.

For testing purposes, you can obtain a free temporary certificate based on an untrusted root from many CAs.

Important: You must follow certain rules and guidelines when you obtain signed TLS certificates from a CA.
  • When you generate a certificate request on a computer, make sure that a private key is generated also. When you obtain the TLS server certificate and import it into the Windows local computer certificate store, there must be an accompanying private key that corresponds to the certificate.
  • To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.
  • Do not generate certificates for servers using a KeyLength value under 1024. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server. Certificate validations that are performed by Connection Server will also fail, resulting in the affected servers showing as red in the Horizon Console dashboard.

For general information about obtaining certificates, consult the Microsoft online help available with the Certificate Snap-in to MMC. If the Certificate Snap-in is not yet installed on your computer, see Add the Certificate Snap-In to MMC.