At installation Horizon Connection Server generates a self-signed enrollment service client certificate. You can replace this self-signed certificate with a CA-signed certificate.

The enrollment service client certificate is used for securing communication between Connection Server and the enrollment server. If you are replacing this certificate with a CA-signed certificate, the new certificate should be imported to the enrollment server and the Root CA certificate should be added to the Trusted Root Certification Authorities store on the enrollment server. For more information see the "Setting Up True SSO" section in the Horizon 8 Administration document.


  1. Generate a CA-signed certificate meeting the requirements below.
    Note: The root certificate used to generate the client certificate should be added to Trusted Root Certification Authorities store on all Connection Servers in the POD.
    • Subject name: Cluster GUID
      Note: You can find Cluster GUID using the vdmadmin -C command or navigating to Connection Server Cluster GUID under HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Node Manager.
    • SAN: Cluster GUID of Horizon pod as DNSName
    • EKU: Server authentication, Client authentication
    • Set friendly name:
    • Private key must be marked exportable.
    • Certificate must be added to Certificates (Local Computer) > VMware Horizon View Certificates > Certificates.
    • Signature algorithm to use: SHA384/SHA512
  2. Import the certificate chain to corresponding folders.
  3. Delete the existing cluster certificate with friendly name
  4. Restart Connection Server service.


When the Connection Server has accepted the new certificate, the friendly name of the certificate will change from to If the certificate is not accepted for any reason the old certificate will be moved from LDAP to the Windows certificate store. The other servers in the cluster will fetch this certificate from LDAP.