bg-tutorials

How to Generate a CSR on VMWare Horizon View

This guide shows you how to generate a CSR (Certificate Signing Request) for VMware Horizon, the platform now published as Omnissa Horizon. You create the request directly on the Windows Connection Server with tools already installed there: the Microsoft Management Console (MMC) Certificates snap-in. The private key stays on the server, and you send only the CSR to your Certificate Authority.

A note on the name: after Broadcom acquired VMware, the End-User Computing division (which includes Horizon) was spun out as the independent company Omnissa in 2024. The rebrand finished with the Horizon 2412 release in January 2025, so newer builds say “Omnissa Horizon” in the interface, file paths, and registry keys. The certificate steps below are the same on both VMware Horizon View and current Omnissa Horizon, including Connection Server on Windows Server 2025.

Generate the CSR with the MMC Certificates snap-in

Run these steps on the Horizon Connection Server itself, signed in with an administrator account. The snap-in builds the request and keeps the matching private key in the Windows certificate store.

  1. On the Windows desktop, click Start and type mmc in the search box.
  2. Click the mmc.exe icon to open the console.
  3. Go to File > Add/Remove Snap-in, select Certificates, then click Add > OK.
  4. Select Computer account and click Next.
  5. Make sure Local computer is selected, then click Finish and OK.
  6. Under Certificates (Local Computer), expand the tree.
  7. Right-click Personal, then follow this sequence: All Tasks > Advanced Operations > Create Custom Request.
  8. In the Certificate Enrollment window, click Next.
  9. Select Proceed without enrollment policy and click Next.
  10. In the Custom request window, open the template drop-down and select (No template) Legacy key.
  11. Set the request format to PKCS #10 (the Certification Request Standard) and click Next.
  12. In the Certificate Information window, click the arrow next to Details and select Properties.
  13. On the General tab, give the request a clear friendly name so you can find it later, for example horizon-csr 2026. Do not name it vdm at this stage: Horizon expects exactly one certificate named vdm, and you apply that name to the issued certificate during installation, not now. See the note after these steps.
  14. Open the Subject tab and add the subject details below. Choose each field from the Type list, enter the value, and click Add for each one:
    • Common Name (CN): the fully qualified domain name your clients use to reach the server, for example horizon.example.com.
    • Country (C): the two-letter code of your country, for example US.
    • Locality (L): the city where your organization is registered, for example Seattle.
    • Organization (O): the full legal name of your company, for example GPI Holding LLC.
    • Organizational Unit (OU): this field is deprecated for public certificates, so leave it blank or use a generic label such as IT.
    • State (ST): the full state or province name, for example Washington.
  15. Still on the Subject tab, in the Alternative name section set Type to DNS and add every hostname clients will use to reach Horizon (for example the Connection Server FQDN and any load-balanced name). Add IP entries only if clients connect by IP. Modern browsers and clients validate the hostname from the Subject Alternative Name (SAN), so the CN alone is not enough.
  16. Open the Private Key tab, expand Key options, and set Key size to 2048 bits or higher (2048 is the current minimum for public certificates).
  17. In the same Key options area, tick Make private key exportable. This lets you back up the key or move it to replica Connection Servers later. Click OK, then Next.
  18. Choose where to save the request, name it certreq.req, and finish the wizard.

Your CSR is ready. Open the certreq.req file in any text editor, such as Notepad, and copy the entire block, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– lines. Paste it into the CSR field when you place your SSL order. If you would rather build the request from a single field, you can also paste your details into our CSR Generator, though generating it on the server (as above) keeps the private key on the machine that will use it.

Why the friendly name “vdm” comes later

Horizon Connection Server, Security Server, and the related services look for the certificate whose friendly name is exactly vdm (lowercase). The setup fails if no certificate has that name, or if two certificates share it. You set that name when you import the issued certificate during installation, not while generating the CSR, because at CSR time you usually still have an older working certificate that already holds the vdm name. Renaming the request now would create a conflict. Keep a plain descriptive name on the request, then rename the new certificate to vdm after the CA issues it.

Check the CSR before you submit it (optional)

It is worth confirming the Common Name, SAN entries, and key size before sending the request to your CA. On the Connection Server, the built-in certutil tool reads the request:

certutil -dump certreq.req

If you have OpenSSL available, this command prints the same details:

openssl req -noout -text -in certreq.req

Prefer an online tool? Paste the contents of the request into SSL Dragon’s CSR decoder to read back the Common Name, SAN entries, and key size. Confirm that the Common Name matches the hostname clients use and that every required name appears under the Subject Alternative Name list. The SSL Checker is a different tool: it scans a certificate that is already installed and serving HTTPS, so use it after installation rather than on the CSR file.

Next steps

After your CA validates the CSR and issues the certificate, continue with the VMware Horizon (Omnissa Horizon) SSL installation instructions. That is where you import the certificate, rename it to vdm, and restart the Horizon services so the new certificate takes effect.

Frequently Asked Questions

Is VMware Horizon the same as Omnissa Horizon?

Yes. Horizon was part of VMware’s End-User Computing division, which became the independent company Omnissa in 2024. The product is now published as Omnissa Horizon, with the rebrand completed in the Horizon 2412 release (January 2025). The CSR and certificate steps are the same on both names.

Where is the private key after I create the CSR?

The MMC Certificates snap-in stores the private key in the Local Computer certificate store on the Connection Server as a pending request. You never send the key to the CA. Because you ticked Make private key exportable, you can later export it (with the issued certificate) to back it up or copy it to replica servers.

Should I set the friendly name to vdm when generating the CSR?

No. Horizon expects exactly one certificate named vdm, and your current working certificate usually already holds that name. Give the request a different descriptive name, then rename the issued certificate to vdm during installation. Having two certificates named vdm will break the Horizon services.

Do I have to include a Subject Alternative Name?

Yes, for any name clients actually use. Current browsers and Horizon clients validate the hostname against the Subject Alternative Name (SAN), not the Common Name. Add a DNS entry for the Connection Server FQDN and for any load-balanced or alias name, plus IP entries only if clients connect by IP address.

Can I generate the CSR with certreq instead of MMC?

Yes. The Microsoft certreq command-line tool produces an equivalent PKCS #10 request. Create a request INF file that sets the Subject, a key length of 2048 or higher, an exportable key, and the SAN entries under an extensions section, then run certreq -new request.inf certreq.req. The MMC method in this guide does the same thing through a wizard, which is easier if you are doing it once.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.