Manage Certificates in VMware Horizon 8 2212 with Certificate Management

VMware has provided us with a new and efficient way to import certificates into Horizon. Let’s put it to the test!

I have a new and sleek single connection server. Let’s see what options we have:

Graphical user interface, text, application

Description automatically generated

I have logged in with my administrator account, but I am unable to generate a CSR or import a PFX because they are grayed out.

According to the documentation found at vmware.com, I should have the privilege “Manage Certificates.” However, by default, this privilege is not assigned to the administrator role or any other role. Therefore, we need to create this role manually.

Graphical user interface, application

Description automatically generated

Go to settings -> Administrators -> Role Privileges and Add a new role


Graphical user interface, text, application, email

Description automatically generated

Give it a nice name

Graphical user interface, text, application, email

Description automatically generated

Graphical user interface, text, application, email

Description automatically generated

I did this quick and dirty; I just gave my administrator account this role

Graphical user interface, text, application

Description automatically generated

Finish!

Then logoff and logon again to your connection server

Graphical user interface, text, application

Description automatically generated

Now that we have the necessary privilege, we have access to generate a CSR or import a PEM/PFX.

Let’s try importing a PFX.

Graphical user interface, text, application, email

Description automatically generated

The import was successful, and as per the notification, we need to restart the connection server component. This most likely refers to restarting the connection server service.

Graphical user interface, application

Description automatically generated

We need to wait a few minutes for the service to fully start up.

Once the service has started, we can connect to the admin console to view our newly imported certificate.

Graphical user interface, text, application, email

Description automatically generated

It seems like there might be a problem. Let’s check the certificate manager again to see if the imported certificate is present. If the self-signed certificate is still there, it’s possible that the import process didn’t complete successfully, or the restart of the connection server service did not take effect.

Graphical user interface, text, application, email

Description automatically generated

Even after rebooting the server, the old certificate is still showing.

Let’s connect to the connection server and check the certificates in the Local Computer store on Windows. This is where we would typically update the certificate using the friendly name “vdm” before the convenient certificate management feature was introduced. This may give us insight into the current state of the certificates on the connection server and help us resolve the issue.

Graphical user interface, text, application

Description automatically generated

It appears that this might be the source of the problem. The “old” certificate still has the Friendly Name “vdm” and the new certificate also has the same friendly name “vdm.” This is causing a conflict and preventing the new certificate from being used. To resolve the issue, we may need to either change the Friendly Name of one of the certificates or remove the “old” certificate from the Local Computer store.

Graphical user interface

Description automatically generated with low confidence

To resolve the problem, we can try deleting the “old” self-signed certificate and restarting the Horizon connection server service. This should allow us to use the newly imported certificate. If all goes well, the new certificate should now be properly recognized and used by the Horizon connection server.

After deleting the “old” self-signed certificate and after restarting the Horizon Connection Server service, my new and shiny certificate is active and showing up in the Certificate Management

Graphical user interface, application

Description automatically generated

After reading the VMware docs – because we only read the documentation when something is broken 😉 -, this behavior is by design. However, it seems that the way the certificate management works is a bit, lets say, unconventional. After importing the certificate, one would expect it to be automatically activated. This could potentially be improved in future updates to make the certificate management process more intuitive and user-friendly.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 + 18 =