The Microsoft certreq utility uses a configuration file to generate a CSR. You must create a configuration file before you can generate the request. Create the file and generate the CSR on the Windows Server computer that hosts the Horizon 8 server that will use the certificate.
Prerequisites
Gather the information required to fill out the configuration file. You must know the FQDN of the Horizon 8 server and the organizational unit, organization, city, state, and country to complete the Subject name.
Procedure
- Open a text editor and paste the following text, including the beginning and ending tags, into the file.
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"
; Replace View_Server_FQDN with the FQDN of the Horizon server.
; Replace the remaining Subject attributes.
KeySpec = 1
KeyLength = 2048
; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
; of 1024 is also supported, but it is not recommended.
HashAlgorithm = SHA256
; Algorithms earlier than SHA-2 are insufficiently secure and are not recommended.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------
If an extra CR/LF character is added to the
Subject = line when you copy and paste the text, delete the CR/LF character.
- Update the Subject attributes with appropriate values for your Horizon 8 server and deployment.
For example:
CN=dept.company.com
To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.
Some CAs do not allow you to use abbreviations for the state attribute.
- (Optional) Update the Keylength attribute.
The default value, 2048, is adequate unless you specifically need a different
KeyLength size. Many CAs require a minimum value of 2048. Larger key sizes are more secure but have a greater impact on performance.
A KeyLength of 1024 is also supported, although the National Institute of Standards and Technology (NIST) recommends against keys of this size, as computers continue to become more powerful and can potentially crack stronger encryption.
Important: Do not generate a
KeyLength value under 1024.
Horizon Client for Windows will not validate a certificate on a
Horizon 8 server that was generated with a
KeyLength under 1024, and the
Horizon Client devices will fail to connect to
Horizon 8. Certificate validations that are performed by Connection Server will also fail, resulting in the affected
Horizon 8 servers showing as red in the console dashboard.
- Save the file as request.inf.
What to do next
Generate a CSR from the configuration file.