Installing an SSL/TLS certificate on the Omnissa Horizon Connection Server (formerly the VMware Horizon Connection Server) is a common task. The whole process may feel daunting if you’ve never installed a certificate on the Horizon Connection Server.
Omnissa Horizon has had a few names, and some of those old names are still present at its core. Most recently it was called VMware Horizon. The original name of Horizon was VMware VDM (Virtual Desktop Manager), later renamed VMware Horizon View, and today, it is called Horizon or Omnissa Horizon.
In this post, I will show you step-by-step how to install a certificate on the Horizon Connection Server and update the VMware Unified Access Gateway appliance to reflect the changes.
Prerequisites
- Install the PFX certificate on the VMware Horizon Connection Server if you need to learn how my post Install PFX Certificate in Windows details all the steps.
The Process
The process is broken up into two sections. The first section details the steps needed on the Omnissa Horizon Connection Server, and the second section details the steps needed on the Omnissa Unified Access Gateway appliance.
Omnissa Horizon Connection Server
- Connect to your Horizon Connection Server
- Open MMC.
- Add the Certificates Snap-in.
- Select Computer account and click Next.
- Select Local computer and click Finish.
- Click OK to close the Add or Remove Snap-ins window.
- Expand out Certificates (Local Computer) > Personal > Certificates.
- You will see that one of the certificates has the friendly name vdm.
We need to change the old certificate’s name from vdm to something else. The VMware Horizon Connection Server is looking for the certificate with the friendly name vdm. It won’t work if there are none or if there are two of them named vdm.
- Right-click on the certificate currently named VDM and click on Properties.
- Change the Friendly name to something other than VDM. I will use the name original cert.
- Click Apply, then click OK.
- Right-click on the new certificate and click on Properties.
- Change the Friendly name to vdm.
- Click Apply, then click OK.
- Open Services.
- Restart the VMware Horizon View Connection Server service.
- The new certificate will be active once the VMware Horizon Connection Server service has finished restarting.
If you run into the ERR_SSL_VERSION_OR_CIPHER_MISMATCH
error, double-check everything. This error can show up if you have more than one friendly name of vdm, or exporting the private key wasn’t enabled when the PFX was installed, or the CSR was created using (No template) CNG key.
Omnissa Unified Access Gateway
Before we make any changes to the UAG, we need to collect the certificate thumbprint.
- Go to the URL of your Omnissa Horizon Connection Server in a web browser.
- Click on the lock icon to View site information.
- Click on Connection is secure.
- Click on the certificate icon to show the certificate.
- Under SHA-256 Fingerprints, copy the value for the certificate. We will need this on the UAG.
- Login to the UAG.
- Select Configure Manually
- Toggle the option to show Edge Services Settings.
- Click on Horizon Settings.
- For the Connection Server URL Thumbprint, enter sha256= then enter the fingerprint we copied earlier.
- Click Save.
That’s all it takes to install a certificate on the Omnissa Horizon Connection Server and to update the Omnissa Unified Access Gateway appliance with the updated certificate thumbprint.
If you want to read more about TLS certificates on the Omnissa Horizon Connection Server, here is the Omnissa documentation.