VMware makes it very easy to generate all the CSR files needed to request the certificates for all the appliances in your deployment. The premise is to use a single certificate for each bundle of services using the VIP as the Common Name of the cert and each node behind the VIP as Subject Alternative Names (SANs) on the cert.

You only need one certificate for each service group except the Connection Servers
[Each AppVolumes Server ALSO requires a separate SSL Certificate to connect to the AppVolumes DB]

Start by downloading the CertGen tool from VMware. I have created a csv file that you can edit with your information to run the script here.

After replacing the information with your data save the csv file locally and open PowerShell as an Administrator.


Select V. Validate Environment Before Running

Don’t proceed until all there are no errors. If you are running the CerGen tool on linux, you might get an OpenSSL version error. Just verify OpenSSL is available on your system before proceeding.

Press any key to return to the main menu.

Select 3. Create CSRs for manual certificate requests.

You will be prompted to select a csv file that contains your environment’s info.

There are default cert properties preloaded in the script, enter the values that pertain to your CA.

The script will run and you should see a bunch of green line scroll by…

Press any key to continue and it will take you back to the main screen. You can now press Q to quit the script.

Browse to the folder you ran the script from and you should see an new set of folders- select the one called CSR

Inside the CSR folder there is a folder for each of the certificates you will need to generate.

Inside of each folder you will see a number of files…


The CSR file contains the data you need to request your certificate. You can open the file in Notepad or any other Text editor to copy the text into the CA CSR blank.

It’s a good idea to save the whole CSR folder off to network or someplace you can retrieve them if needed. Once your requested certificate is returned to you it’s good practice to place that certificate in the appropriate CSR folder with the rest of the files associated with that cert.

Be sure NOT to lose the KEY file. You will need this file to make the necessary PFX files used to install Horizon, AppVols, and NSX-T.

To make the PFX file, run the following:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Don’t lose/forget your password