VMware Horizon – Replace self-signed vdm certificate with Domain CA signed certificate using PowerShell

Release date: January 2nd 2023

Welcome to my VMware Horizon series. I have previously described how to replace the self-signed vdm certificate manually, here: VMware Horizon – Setup Certificate for the Connection Server. In this session I will describe how I did this by using a PowerShell Script from a management station instead. As this new certificate will be used with a HAProxy load balancer, I needed to add the FQDN of the loadbalancer to the SAN when requesting the new certificate. Before I started, I made myself a little workflow as show below.


  • The computer-account for the Connection-server, has to have read/enroll permissions on the certificate template
  • PowerShell Administrative access to the Connection-server

First, I created the following credential to be used in the script:

$credential = Get-Credential
$credential | Export-CliXml -Path '<path>hz_admin.xml'

Now that I had the credentials, I was good to go. (PS: I know I’m no programmer and a lot of this script have the potential for improvement, but, it gets the job done, and that’s good enough for me).


# --- Configure and start PSSession ---

$cs = "<fqdn cs server>"
$credential = Import-CliXml -Path "<path to horizon admin>hz_admin_${env:USERNAME}_${env:COMPUTERNAME}.xml"
$session = New-PSSession -ComputerName $cs -Credential $credential -Authentication CredSSP

# --- Rename Self-Signed vdm-cert, request new and rename friendly name, restart CS ---

$session = New-PSSession -ComputerName $cs -Credential $credential -Authentication CredSSP

Invoke-Command -Session $session -ScriptBlock {
    $Thumbprint = (Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.FriendlyName -match "vdm"}).Thumbprint
    (Get-ChildItem -Path Cert:LocalMachineMy$Thumbprint).FriendlyName = "self-signed"
    Get-Certificate -Template "<Certificate Template>" -DnsName "<fqdn cs server>","<fqdn load balancer>"  -SubjectName 'CN=<fqdn cs server>' -CertStoreLocation cert:LocalMachineMy
    $newThumbprint = (Get-ChildItem -Path Cert:LocalMachineMy | Where-Object {$_.Issuer -match "<CA Name>"}).Thumbprint;
    (Get-ChildItem -Path Cert:LocalMachineMy$newThumbprint).FriendlyName = "vdm"

   Restart-Computer -ComputerName "<fqdn cs server>"-Force

Remove-PSSession $session

VMware Official Documentation:

VMware Horizon planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: