VMware has provided us with a new and efficient way to import certificates into Horizon. Let’s put it to the test!
I have a new and sleek single connection server. Let’s see what options we have:
I have logged in with my administrator account, but I am unable to generate a CSR or import a PFX because they are grayed out.
According to the documentation found at vmware.com, I should have the privilege “Manage Certificates.” However, by default, this privilege is not assigned to the administrator role or any other role. Therefore, we need to create this role manually.
Go to settings -> Administrators -> Role Privileges and Add a new role
Give it a nice name
I did this quick and dirty; I just gave my administrator account this role
Finish!
Then logoff and logon again to your connection server
Now that we have the necessary privilege, we have access to generate a CSR or import a PEM/PFX.
Let’s try importing a PFX.
The import was successful, and as per the notification, we need to restart the connection server component. This most likely refers to restarting the connection server service.
We need to wait a few minutes for the service to fully start up.
Once the service has started, we can connect to the admin console to view our newly imported certificate.
It seems like there might be a problem. Let’s check the certificate manager again to see if the imported certificate is present. If the self-signed certificate is still there, it’s possible that the import process didn’t complete successfully, or the restart of the connection server service did not take effect.
Even after rebooting the server, the old certificate is still showing.
Let’s connect to the connection server and check the certificates in the Local Computer store on Windows. This is where we would typically update the certificate using the friendly name “vdm” before the convenient certificate management feature was introduced. This may give us insight into the current state of the certificates on the connection server and help us resolve the issue.
It appears that this might be the source of the problem. The “old” certificate still has the Friendly Name “vdm” and the new certificate also has the same friendly name “vdm.” This is causing a conflict and preventing the new certificate from being used. To resolve the issue, we may need to either change the Friendly Name of one of the certificates or remove the “old” certificate from the Local Computer store.
To resolve the problem, we can try deleting the “old” self-signed certificate and restarting the Horizon connection server service. This should allow us to use the newly imported certificate. If all goes well, the new certificate should now be properly recognized and used by the Horizon connection server.
After deleting the “old” self-signed certificate and after restarting the Horizon Connection Server service, my new and shiny certificate is active and showing up in the Certificate Management
After reading the VMware docs – because we only read the documentation when something is broken 😉 -, this behavior is by design. However, it seems that the way the certificate management works is a bit, lets say, unconventional. After importing the certificate, one would expect it to be automatically activated. This could potentially be improved in future updates to make the certificate management process more intuitive and user-friendly.