July 4, 2012 - Sven Huisman

VMware Horizon Application Manager – Using wildcard SSL certificate

As I can not find any documentation on how to do this, I might as well write a little blogpost about this topic. If it is not interesting for you, at least it is an online documentation for myself. The problem that I had was that I already had a wildcard certificate in a PFX file format that I wanted to use and I couldn’t get that into the certificate keystore that Horizon Application Manager uses. I posted my question on twitter and on the VMware community forum. Dwayne Lessner had the same problem and he was able to configure Horizon with a certificate from an internal CA. Unfortunately, his steps did not help me. Luckily, Mike Barnett from VMware offered to help me out and in this blogpost I describe the steps he took the get it working. Follow these steps if you have a PFX wildcard certificate and want to use it with Horizon Application manager.

First of all, there are 2 virtual appliances and they both need the wildcard certificate: the Horizon application manager virtual appliance and the Horizon application manager connector appliance.

1 ) Put the wildcard certificate (certificate.pfx), the rootCA certificate (rootca.crt) and the intermediate certificate (intermediate.crt) on the Horizon application manager virtual appliance. You can use WinSCP or VeeamZIP to logon to the appliance and transfer the files to \tmp\ssl for example. In the following steps the password on the PFX file is “password”.

2 ) Create a new keystore using certificate.pfx using the following cmd (The keytool command is located at /usr/java/jre-vmware/bin):

./keytool -importkeystore -srckeystore /tmp/SSL/certificate.pfx -destkeystore tcserver.keystore -srcstoretype pkcs12 -srcstorepass password -deststorepass changeme

3 ) Import the rootCA certificate into the keystore:

./keytool -import -keystore tcserver.keystore -storepass changeme -alias rootCA -file /tmp/SSL/rootca.crt

4 ) Import the intermediate certificate into the keystore:

./keytool -import -keystore tcserver.keystore -storepass changeme -alias intermediateCA -file /tmp/SSL/intermediate.crt

5 ) Show the certificate in the keystore to get the alias. You should look for Entry Type: PrivateKeyEntry. The Alias is mentioned above that:

./keytool -list -v -keystore tcserver.keystore | more

(password is “changeme”)


6 ) Change the alias to “tcserver”. Use this command:

./keytool -changealias -alias {oldalias} -destalias tcserver -keystore tcserver.keystore -storepass changeme

7 ) Change the password of the alias key entry

./keytool -keypasswd -alias tcserver -keypass password -new changeme -keystore tcserver.keystore

8 ) Rename the old keystore:

mv /opt/vmware/horizon/horizoninstance/conf/tcserver.keystore /opt/vmware/horizon/horizoninstance/conf/tcserver.keystore.old

9 ) Copy the new keystore:

cp tcserver.keystore /opt/vmware/horizon/horizoninstance/conf/

10 ) Change the rights on the file:
chmod 750 /opt/vmware/horizon/horizoninstance/conf/tcserver.keystore

11 ) Restart the Tomcat web server from the console or the commandline.

Now you have to do the same thing for the Horizon application manager connector appliance. One difference is the location of the keystore: /opt/vmware/c2/c2instance/conf/tcserver.keystore

You could also use the tcserver.keystore from the Horizon Application Manager Appliance you just created and copy it to the connector appliance.

Another thing you have to do is to import the SSL certificate from the Horizon Application Manager into the Connector appliance using the console:


Select “Configure”


Select “3”. (In the screenshots, the certificate was already imported).


Press “ENTER” if the correct domain name is displayed.

The certificate will now be imported.

And now you’re done!

Workspace Management Horizon App Manager / Horizon Application Manager / SSL / VMware /