Setting Up Horizon Application Manager with a Internal CA

I found the online documentation a little vague since it just told you to go to the apache ssl how to page. Hopefully this will help other people out that where in the same boat as me.

1) Configure the web server from the console menu to disable the Insecure ports (port 80 & 8080)

2) Enable the Secure Ports (443 & 8443) from the console menu.

3) The first thing need to do is generate a self-signed certificate. This step is necessary as it helps build the server.xml that is used to configure the tomcat server. The truth is more likley that the server.xml has hardcoded values but you should get the point. This also can done from the from the console menu. This steps makes the tcserver.keystore with a alias of tcserver.

4) If you were trying to use a .PFX file, try again. The private\public keys pairs need to made first by generating the CSR. There is no way I could find to split the key from the PFX file and add it into the keystore. This makes sense or else anyone could use the public key and verify their servers.
Generate the CSR
The keytool command is located at /user/java/jre-vmware/bin

keytool -certreq -file certreq.txt -keystore tcserver.keystore -storepass changeme -alias tcserver
Note: When asked for your first name, it is the URL of server you are trying to generate a certificate for.
Send that to whomever managers your Internal CA

5) Delete the selfsigned certificate in the keystore
keytool -delete -alias tcserver -keystore tcserver.keystore
Depending on where you run the keytool command form, you might have to use the path to where the tcserver.keystore is located, /opt/vmware/horizon/horizoninstance/conf

6) Get back a cert.p7b file

7) Open the file with Crypto Shell Extensions, right click, open with should do the trick.

8) Generate Base-64 encoded files for your public certificate, the root certificate and the intermediate certificate

Horizon Application Manager
The root certificate has the same issued to and Issued By = root.cer
The intermediate certificate has the Issued By as the Issued To of the root = int.cer
The public certificate has Issued To of your URL for the server you requested in the CSR

9) Import the root certificate
keytool -importcert -keystore tcserver.keystore -storepass changeme -alias rootCA -file root.cer
10) Import the intermediate certificate
keytool -importcert -keystore tcserver.keystore -storepass changeme -trustcacerts -alias intermediateCA -file int.cer11)

11 )Import the public certificate
keytool -importcert -keystore tcserver.keystore -storepass changeme -trustcacerts -alias tcserver -file cert.cer

12) Restart Tomcat from the console menu

If you chose to use a different keystore you can but you will have to edit the server.xml file at


  1. What if I already have a wildcard certificate? You’re saying I cannot use it? You will always have to generate a certificate request file and with that you can request a (wildcard) certificate? There must be a way to use an excisting wildcard certificate, right?

Speak Your Mind