Using the completed configuration file, you can generate a CSR by running the certreq utility. You send the request to a third-party CA, which returns a signed certificate.


  • Verify that you completed a CSR configuration file. See Create a CSR Configuration File.
  • Perform the certreq operation described in this procedure on the computer where the CSR configuration file is located.


  1. Open a command prompt by right-clicking on Command Prompt in the Start menu and selecting Run as administrator.
  2. Navigate to the directory where you saved the request.inf file.
    For example: cd c:\certificates
  3. Generate the CSR file.
    For example: certreq -new request.inf certreq.txt
  4. Use the contents of the CSR file to submit a certificate request to the CA in accordance with the CA's enrollment process.
    1. When you submit the request to a CA, the CA prompts you to select the type of server on which you will install the certificate. Since Horizon uses the Microsoft Certificates MMC to manage certificates, select a certificate for a server type of Microsoft, Microsoft IIS 7, or something similar. The CA should produce a certificate in the format needed to work with Horizon.
    2. If you request a single server name certificate, use a name that Horizon Client devices can resolve into an IP address for this Horizon server. The name that computers use to connect to the Horizon server should match the name associated with the certificate.
    Note: The CA might require that you copy and paste the contents of the CSR file (such as certreq.txt) into a Web form. Using a text editor, you can copy the contents of the CSR file. Be sure to include the beginning and ending tags. For example:
    . . . 
    . . .
    After conducting some checks on your company, the CA creates a server certificate based on the information in the CSR, signs it with its private key, and sends you the certificate.

    The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.

  5. Rename the certificate text file to cert.cer.
    Make sure that the file is located on the Horizon server on which the certificate request was generated.
  6. Rename the root CA and intermediate CA certificate files to root.cer and intermediate.cer.
    Make sure that the files are located on the Horizon server on which the certificate request was generated.
    Note: These certificates do not have to be in PKCS#12 (PFX) format when you use the certreq utility to import the certificates into the Windows local computer certificate store. PKCS#12 (PFX) format is required when you use the Certificate Import wizard to import certificates into the Windows certificate store.

What to do next

Verify that the CSR file and its private key were stored in the Windows local computer certificate store.