How do I install a certificate on Windows Server for VMware Horizon?

Problem

How do I install a certificate on Windows Server for VMware Horizon?

Resolution
 
VMware Horizon on a Windows Server searches for a certificate in the Personal certificate store with a friendly name of vdm.

Part I - Installing the Root Certificate

Generally, your Windows Server should have the QuoVadis Root certificates installed, however there have been cases where they have not been.  When you install the SSL certificate, if the root certificate is not present, the system will prompt you to trust it, which will also install it.
 
First you must open the Microsoft Management Console.
  1. Click on Start and then type MMC.  This should display "mmc - Run command" as the best match. Click on it to open the Microsoft Management Console.

  2. The Console1 window will appear.

  3. Click on File at the top and then select Add/Remove Snap-in...  Alternatively, you can press Ctrl + M.

  4. In the Add/Remove Snap-in window, click on the Add... button at the bottom.  This will open a third window named Add Standalone Snap-in.

  5. Scroll down in the Add Standalone Snap-in window and find the Certificates component.  Once found, highlight it and click on the Add button at the bottom.  Alternatively, you can double-click on Certificates.

  6. In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.

  7. Select the Computer account radio button and click on the Next button.

  8. At the next screen, click on the Finish button.

  9. Click on the ">" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).

  10. Locate and expand the Trusted Root Certification Authorities store and the click on the Certificates folder underneath it.

  11. In the right hand pane, you should see a list of certificates. Click on any certificate that you see and press the letter "Q" on your keyboard to fast-track to the QuoVadis root certificates.  Verify that you have the correct Root CA certificate in this list of certificates in the right hand pane. The correct certificate is shown and available for download within the certificate download page within Trust/Link.  If this certificate is in the Trusted Root Certification Authorities store, then you can skip to Part II​ to check for the Intermediate Certificate.  If this certificate is not installed, then the next steps will guide you through the process of installing this file.

  12. Place the certificate in a directory where it can be accessed by the server.

  13. Right-click on the Certificates folder underneath the Trusted Root Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  14. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  15. You must specify the file to import.  Click on the Browse... button and find and select the Root CA certificate.  Once selected, it should appear in the File name: field.  Click on the Next button.

  16. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Trusted Root Certification Authorities.  Click on the Next button.

  17. At the summary screen, click on the Finish button.

  18. You should get a message that reads, "The import was successful."

Part II - Installing the Intermediate (chaining) Certificate

Part II explains how to install the intermediate files that are required.  QuoVadis uses an intermediate certificate that must be installed on the server to prevent errors in certain browsers.  You may want to go through these steps and if the intermediate certificate is not installed, then please obtain it and follow through with the rest of Part II.  Part II assumes that you currently have the Microsoft Management Console open.  If you do not, you can find the instructions in Part I of this guide, steps 1-8.
  1. Click on the ">" sign next to Certificates (Local Computer) to expand it.

  2. Locate and expand the Intermediate Certification Authorities store and then click on the Certificates folder underneath it.

  3. In the right hand pane, you should see a list of certificates.  Verify that you have the correct Intermediate CA certificate (Chain) in this list of certificate in the right hand pane. The correct certificate is shown and available for download within the certificate download page within Trust/Link.  If this certificate is in the Intermediate Certification Authorities store, then you can skip to Part III.  If you do not, then the next steps will guide you through the process of installing this file.

  4. Place the certificate in a directory where it can be accessed by the server.

  5. Right-click on the Certificates folder underneath the Intermediate Certification Authorities folder and in the drop-down menu, select All Tasks and then click on Import.

  6. The Certificate Import Wizard will appear.  At the welcome screen, click on the Next button.

  7. You must specify the file to import.  Click on the Browse... button and find and select the Intermediate CA (Chain) certificate.  Once selected, it should appear in the File name: field.  Click on the Next button.

  8. On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Intermediate Certification Authorities.  Click on the Next button.

  9. At the summary screen, click on the Finish button.

  10. You should get a message that reads, "The import was successful."

Part III - Install the SSL Certificate

Part III will be given as a high-level solution that assumes you understand the various methods of installing an SSL certificate.  This is due to the fact that there are a variety of scenarios for your infratructure and it would be difficult to cover them all in this article.  You must get the certificate (public and private key) installed in the Microsoft Windows Certificate Store for the Local Computer account of the server that hosts VMware Horizon.  Here are some ways to accomplish this:
  • Import a  PKCS#12 (*.p12 or *.pfx) file into MMC - This PKCS#12 file can be generated from various sources such as exporting a certificate from IIS installed on another Windows Server or using OpenSSL.  The method isn't as vital as long as you have a complete PKCS#12 file to perform the import with.
  • Complete certificate request through IIS - If you have IIS installed on the same server, you can simply create a certificate signing request on this server and complete the certificate request as you would normally for IIS.  With the certificate installed, do not assign the bindings to any website (unless you are using this certificate for multiple purposes).

Part IV - Rename the friendly name of the certificate to vdm and restart the server

Note: If you are replacing an expiring certificate, then you must rename the existing certificate's friendly name to something else before you can rename the new certificate. Only one certificate should have its friendly name as vdm.
  1. Open the Computer account in the Certificates snap-in for the server in MMC.

  2. Expand the Personal folder.

  3. Double-click on the certificate to open its Certificate details window.

  4. Select the Details tab.

  5. Click on the Edit Properties... button.

  6. In the General tab, rename the Friendly name: field to vdm.

  7. Click on the OK button.
When the new certificate contains the friendly name of vdm, restart the computer for VMware Horizon to utilize the new certificate.

Add Feedback