To complete the pairing process, you use the MMC Certificates snap-in to import the Enrollment Service Client certificate into the enrollment server. You must perform this procedure on every enrollment server.
- Verify that you have a enrollment server. See Install and Set Up an Enrollment Server.
- Verify that you have the correct certificate to import. You can use either your own certificate or the automatically generated, self-signed Enrollment Service Client certificate from one Connection Server in the cluster, as described in Export the Enrollment Service Client Certificate.
Important: To use your own certificates for pairing, place the preferred certificate (and the associated private key) in the custom container ( VMware Horizon Certificates\Certificates) in the Windows Certificate Store on the Connection Server machine. You must then set the friendly name of the certificate to vdm.ec.new, and restart the server. The other servers in the cluster will fetch this certificate from LDAP. You can then perform the steps in this procedure.
If you have your own client certificate, the certificate that you must copy to the enrollment server is the root certificate used to generate the client certificate.
- Copy the appropriate certificate file to the enrollment server machine.
To use the automatically generated certificate, copy the Enrollment Service Client certificate from the Connection Server. To use your own certificate, copy the root certificate that was used to generate the client certificate.
- On the enrollment server, add the Certificates snap-in to MMC:
- Open the MMC console and select
- Under Available snap-ins, select Certificates and click Add.
- In the Certificates snap-in window, select Computer account, click Next, and click Finish.
- In the Add or Remove Snap-in window, click OK.
- In the MMC console, in the left pane, right-click the VMware Horizon Enrollment Server Trusted Roots folder and select .
- In the Certificate Import wizard, follow the prompts to browse to and open the EnrollClient certificate file.
- Follow the prompts and accept the defaults to finish importing the certificate.
- Right-click the imported certificate and add a friendly name such as vdm.ec (for Enrollment Client certificate).
VMware recommends you use a friendly name that identifies the Horizon cluster, but you can use any name that helps you easily identify the client certificate.
What to do next
Configure the SAML authenticator used for delegating authentication to VMware Workspace ONE Access. See Configure SAML Authentication to Work with True SSO.