VMware App Volumes – Replace App Volumes Manager self-signed certificate with Domain CA signed certificate

Release date: April 24th 2021

Welcome to my VMware App Volumes series. This session will cover the basics around using a domain CA signed certificate on the App Volumes Manager server, instead of the self-signed certificate. This will ensure that the certificate is trusted by all domain joined computers and will be easier to maintain in the future.

Prerequisites for completing these tasks are:

  • Access to the domain’s CA and permissions to create/edit certificate templates
  • Administrative access to the App Volumes Manager and JMP Server
  • OpenSSL needs to be installed

The steps I have to take to complete this session are the following:

  • Prepare Template
  • Request Certificate
  • Export the Certificate to PFX
  • Extract certificate and private key from PFX file and convert PEM format
  • Configure NGINX to use the certificate and PEM-formatted key file

Prepare Template

I will use a certificate template I previously created on my CA server, named Horizon Services. When I created this, I gave the Active Directory Group «Horizon Services» the permissions Read, Write and Enroll. Therefore I will simply add the computer account for my App Volumes server to this group in ADUC. To activate this membership I reboot my App Volumes server.


Request Certificate

Once the App Volumes Server is restarted, I login and request a new certificate from my CA. First, I have to open the certificates.mmc, this can be done the “hard way” as shown below, or simply by running certlm.msc from an administrative prompt


Start Microsoft Management Console


Add Certificates Snap-in


Select Computer Account, Next…


Local computer, Next…




Request certificate from Domain CA


The Certificate Enrollment Wizard launches, Next…


I have used my domain CA, so i select Active Directory Enrollment Policy, Next…


I click the yellow “Click here to continue” on my Horizon Services template


I populate the following values in the subject information fields:

  • CN – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”
  • Country (C)
  • Locality (L)
  • Organization (O)
  • Organizational Unit (OU)
  • State

I also add the FQDN to DNS under Alternative Name

  • DNS – This must be the FQDN of your Manager server, in my case: “hz-appv-01.ad.admin.frelab.net”

I give the certificate a friendly name and make sure to check “Make private key exportable, OK…


Back in the Certificate Enrollment Wizard I check my Horizon Services template, Enroll…




I can now verify my certificate properties from the certificate MMC, looks excellent.

Export the Certificate to PFX

In order to use this certificate with NGINX, I first have to export this certificate to pfx-format.




Yes, export the private key, Next…


I check “Export all extended properties”, Next…


I enter a password, Next…


I specify a location and filename, Next…


Extract certificate and private key from PFX file and convert the private key to PEM format

From an administrative command prompt I run the following commands to extract the certificate and private key to PEM format. This is done from within the OpenSSL folder.

openssl pkcs12 –in c:\tmp\view-appvol01.pfx –nocerts –out c:\tmp\view-appvol01.key

openssl rsa –in c:\tmp\view-appvol01.key -outform PEM –out c:\tmp\view-appvol01-PEM.key

openssl pkcs12 –in c:\tmp\view-appvol01.pfx –clcerts –nokeys –out c:\tmp\view-appvol01.crt

This produces the following files


Configure NGINX to use the certificate and PEM-formatted key file

Before I can configure NGINX to use my new certificate and key, I need to stop the App Volumes ‘ Services.


I make a backup of nginx.conf, copy crt and key file to same folder, “C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf”  (PS: It might be useful to launch explorer.exe from an administrative command prompt, in order to get permissions to access this folder)


From an administrative command prompt, I start notepad.exe and open the nginx.conf file. I comment out the original settings and append my new certificate settings. Save and exit.


Finally, I start up the App Volumes’ services again.


I can now verify certificate configuration in App Volumes Manager GUI


That concludes my session about setting up App Volumes Manager with Domain CA signed certificate.

Official VMware App Volumes Documentation

VMware App Volumes planning, deployment, upgrades etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: