If your organization does not provide you with an TLS server certificate, you must request a new certificate that is signed by a CA.

You can use several methods to obtain a new signed certificate. For example, you can use the Microsoft certreq utility to generate a Certificate Signing Request (CSR) and submit a certificate request to a CA.

For an example that shows you how to use certreq to accomplish this task, see the Horizon Integration document.

For testing purposes, you can obtain a free temporary certificate based on an untrusted root from many CAs.

Important: You must follow certain rules and guidelines when you obtain signed TLS certificates from a CA.
  • When you generate a certificate request, choose a certificate template that has Windows Server 2008 selected in the Compatibility tab, or select Proceed without enrollment policy and choose (No template) Legacy key for Template. If you do not do this, Horizon 8 will not be able to detect the private key, even though the Certificates MMC snap-in indicates that it is present.
  • To comply with VMware security recommendations, use the fully qualified domain name (FQDN) that client devices use to connect to the host. Do not use a simple server name or IP address, even for communications within your internal domain.
  • Do not generate certificates for servers using a KeyLength value under 1024. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server. Certificate validations that are performed by Connection Server will also fail, resulting in the affected servers showing as red in the Horizon Console dashboard.

For general information about obtaining certificates, consult the Microsoft online help available with the Certificate Snap-in to MMC. If the Certificate Snap-in is not yet installed on your computer, see Add the Certificate Snap-In to MMC.