VMware Horizon JMP – Replace JMP Server self-signed certificate with Domain CA signed certificate

Welcome to my VMware Horizon JMP series. This session will cover the basics around using a domain CA signed certificate on the JMP server, instead of the self-signed certificate. The reason for me doing this, is that with a domain CA signed certificate, I don’t have to export the self-signed certificate from the JMP server to the connection servers’ Trusted Root Certification Authorities Store, to get it trusted. This also eliminates future problems when connection servers are re-installed and the like.

Prerequisites for completing these tasks are:

  • Access to the domain’s CA and permissions to create/edit certificate templates
  • Administrative access to the JMP and Horizon Connection server
  • OpenSSL needs to be installed


The steps I have to take to complete this session are the following:

  • Prepare Template
  • Request Certificate
  • Export the Certificate to PFX
  • Extract certificate and private key from PFX file and convert the private key to PEM format
  • Configure NGINX to use the certificate and PEM-formatted key file


Prepare Template

I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my JMP-server to this group in ADUC. To activate this membership I reboot my JMP server.




Request Certificate

Once the JMP Server is restarted, I login and request a new certificate from my CA.



The Certificate Enrollment Wizard launches, Next…



I have used my domain CA, so i select Active Directory Enrollment Policy, Next…



I click the yellow “Click here to continue” on my Horizon Services template



I populate the following values in the subject information fields:

  • CN – This must be the FQDN of your Manager server, in my case: “view-jmp01.ad.admin.frelab.net”
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State



I give the certificate a friendly name and make sure to check “Make private key exportable, OK…




Back in the Certificate Enrollment Wizard I check my Horizon Services certificate, Enroll…






I can now verify my certificate properties from the certificate MMC, looks excellent.





Export the Certificate to PFX

In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.






Yes, export the private key, Next…



I check “Export all extended properties”, Next…



I enter a password, Next…



I specify a location and filename, Next…






Extract certificate and private key from PFX file and convert the private key to PEM format

From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.

“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –nocerts –out c:\tmp\view-jmp01.key”

“openssl rsa –in c:\tmp\view-jmp01.key -outform PEM –out c:\tmp\view-jmp01-PEM.key”

“openssl pkcs12 –in c:\tmp\view-jmp01.pfx –clcerts –nokeys –out c:\tmp\view-jmp01.crt”



This produces the following files



Configure NGINX to use the certificate and PEM-formatted key file

Before I can configure NGINX to use my new certificate and key, I need to stop the Horizon JMP Services.



I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\VMware\JMP\com\XMS\nginx\conf”  (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)



From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.



Finally, I start up the JMP services again.




Now that I’m done configuring the JMP server certificate, I can proceed with configuring Horizon JMP, covered here: VMware Horizon JMP – Configuration


VMware Horizon JMP on VMware Tech Zone

VMware Horizon JMP planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.