If you obtained a certificate and its private key in PEM or another format, you must convert it to PKCS#12 (PFX) format before you can import the certificate into a Windows certificate store on a Horizon server. PKCS#12 (PFX) format is required if you use the Certificate Import wizard in the Windows certificate store.

You might obtain certificate files in one of these ways:

  • You obtain a certificate keystore file from a CA.
  • You download a certificate and its private key from an intermediate server that is set up in your Horizon deployment.
  • Your organization provides you with certificate files.

Certificate files come in various formats. For example, PEM format is often used in a Linux environment. Your files might have a certificate file, key file, and CSR file with the following extensions: 

server.crt
server.csr
server.key

The CRT file contains the SSL certificate that was returned by the CA. The CSR file is the original certificate signing request file and is not needed. The KEY file contains the private key.

Prerequisites

  • Verify that OpenSSL is installed on the system. You can download openssl from http://www.openssl.org.
  • Verify that the root certificate of the SSL certificate that was returned by the CA is also available on the system.

Procedure

  1. Copy the CRT and KEY files to the OpenSSL installation directory.
    For example: cd c:\OpenSSL-Win32\bin
  2. Open a Windows command prompt and, if necessary, navigate to the OpenSSL installation directory.
  3. Generate a PKCS#12 (PFX) keystore file from the certificate file and your private key.
    For example: openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt -certfile CACert.crt
    In this example, CACert.crt is the name of the root certificate that was returned by the certificate authority.
    The Windows certificate store also accepts a keystore that is generated with a PFX extension. For example: -out server.pfx
  4. Type an export password to protect the PKCS#12 (PFX) file.