How to Install an SSL Certificate on VMWare Horizon View

This step-by-step guide shows you how to install an SSL/TLS certificate on VMware Horizon (Connection Server or security server).

On Horizon, you do not point the product at certificate files directly. Instead, you import the certificate into the Windows local computer certificate store with the Microsoft Management Console (MMC), give it the Friendly name vdm, and restart the Horizon service.

Note: VMware Horizon is now part of Omnissa, which spun off from VMware in 2024. The certificate procedure below is unchanged across both the VMware-era and Omnissa-era Horizon 8 releases. Where the old documentation says “VMware Horizon Connection Server service,” current Omnissa builds name it the “Omnissa Horizon Connection Server service” – the steps are otherwise identical.

Generate a CSR code on VMware Horizon

When you apply for an SSL certificate, one of the first steps is to generate a CSR (Certificate Signing Request) and send it to your Certificate Authority (CA). A CSR is a block of encoded text that contains your contact and domain details. You have two options:

• Generate the CSR automatically with our CSR Generator.
• Follow our step-by-step tutorial on how to create the CSR on VMware Horizon.

Tip: Generate the CSR on the same Windows machine where you intend to install the certificate. That way the matching private key is created in Windows and the CA can return a ready-to-import .pfx file. If you generated the CSR elsewhere, you can still combine the issued certificate with your private key into a .pfx before importing it (see the FAQ).

Install an SSL certificate on VMware Horizon

After the CA validates and signs your certificate, it emails you the certificate files. Download the ZIP archive and extract it. Then import the certificate on the Windows Server host where the Connection Server (or security server) is installed, following the steps below.

Step 1: Add the Certificates snap-in to MMC

1. Log in to your Connection Server or security server and launch mmc.exe.
2. Go to File > Add/Remove Snap-in, select Certificates, and click Add.
3. In the Certificates snap-in window, select Computer account, then click Next.
4. Select Local computer and click Finish.
5. Back in the Add or Remove Snap-ins window, click OK.

Shortcut: You can open the local computer certificate store directly by running certlm.msc from the Start menu or Run dialog. This skips the snap-in setup above and takes you straight to Certificates (Local Computer).

Step 2: Import your server certificate into the Windows certificate store

The certificate you import must include its private key, so use a .pfx (PKCS #12) file here. Depending on how the file was built, it may also contain the full chain (server, intermediate, and root certificates).

1. In MMC, expand Certificates (Local Computer) and select the Personal folder.
2. In the Actions pane, go to More Actions > All Tasks > Import.
3. In the Certificate Import Wizard, click Next and browse to the folder that holds your certificate.
4. Select the certificate file and click Open. Note: to see your file, choose its format from the File name drop-down menu (for example, Personal Information Exchange (*.pfx, *.p12)).
5. Enter the password for the private key contained in the certificate file.
6. Select Mark this key as exportable.
7. Select Include all extended properties.
8. Click Next, then Finish. The new certificate appears in Certificates (Local Computer) > Personal > Certificates.
9. Confirm the certificate has a private key: open Certificates (Local Computer) > Personal > Certificates, double-click the new certificate, and verify that the General tab shows “You have a private key that corresponds to this certificate.”

Step 3: Set the certificate’s Friendly name to “vdm”

This is the step that makes Horizon use your certificate. Horizon identifies its TLS certificate by the Friendly name vdm – without it, the server keeps using its default self-signed certificate.

1. In MMC, expand Certificates (Local Computer) and select Personal > Certificates.
2. Right-click the certificate issued to the Horizon server host and click Properties.
3. On the General tab, delete any existing text in the Friendly name field and type vdm (it must be lowercase).
4. Click Apply, then OK.
5. Make sure no other certificate in Personal > Certificates has the Friendly name vdm. If one does (for example, the old self-signed certificate), rename it – clear the vdm value, click Apply, then OK.

Step 4: Import the root and intermediate certificates

For clients to trust your certificate, the full chain must be present. If your .pfx already imported the root and intermediates into the right stores, you can skip ahead and verify. Otherwise, import them now.

1. In MMC, expand Certificates (Local Computer) and open Trusted Root Certification Authorities > Certificates.
2. If your root certificate is already there and your chain has no intermediates, skip to the restart step. If the root is missing, continue below.
3. Right-click Trusted Root Certification Authorities > Certificates and click All Tasks > Import.
4. In the Certificate Import Wizard, click Next and browse to the root CA certificate.
5. Select the root CA certificate file and click Open.
6. Click Next, then Finish.
7. If an intermediate CA signed your server certificate, import every intermediate in the chain too: open Certificates (Local Computer) > Intermediate Certification Authorities > Certificates and repeat the import for each intermediate certificate.

Step 5: Restart the Horizon service

Horizon reads the certificate at startup, so the change only takes effect after a restart. Open the Windows Services console (services.msc) and restart the VMware Horizon Connection Server service (named Omnissa Horizon Connection Server on newer builds). On a security server, restart the VMware Horizon Security Server service instead. Restarting the whole server works too, but restarting the service is faster and sufficient.

Give it a few seconds, then reload the Horizon Console (Horizon Administrator) in your browser. Your new certificate is in use once the connection shows as secure and trusted.

Behind a Unified Access Gateway (UAG)? After replacing the certificate on the Connection Server, update the Connection Server thumbprint in the UAG configuration so the gateway continues to trust it.

Test your SSL installation

After you install the SSL certificate on VMware Horizon, run a diagnostic scan to confirm everything is configured correctly. Our SSL Checker check your certificate in seconds and flag any chain issues, vulnerabilities, or misconfigurations. If the Horizon server is not reachable from the public internet, you can still verify locally by opening the Horizon Console in a browser and confirming the padlock shows a valid, trusted certificate with the correct hostname.

Where to buy the best SSL certificate for VMware Horizon

SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with VMware Horizon servers.

Because Horizon deployments often span several Connection Servers and gateways that share one hostname or multiple names, a certificate with Subject Alternative Names (SANs) covering every server’s hostname and FQDN is usually the right fit. A multi-domain (SAN) or wildcard certificate keeps the whole environment on a single, easy-to-manage certificate.

Frequently asked questions

Bottom line

Installing an SSL certificate on VMware Horizon comes down to importing a .pfx into the Windows local computer certificate store with MMC, giving it the Friendly name vdm, trusting the root and intermediate certificates, and restarting the Horizon Connection Server service.

Need a certificate first? Browse our SSL certificates or let the SSL Wizard pick the right one for your environment.