I am a strong proponent to securing an infrastructure with customer-signed Transport Layer Security (TLS) certificates internally and only using third party certificates where absolutely necessary for external services.
For this service, I am going to build a two-tier Microsoft certificate authority (CA) using Windows Server 2022. One virtual machine will be a root authority and the other will be an intermediate CA where the certificates will actually be provisioned from. It is recommended to shut down and remove the Root CA, but I am only going to shut down (and not remove) the Root CA virtual machine in my lab.
I am going to install VMware Horizon Connection Server 2303 (current at the time of writing) on Windows Server 2022. The only modification to the hardware is toincrease the Memory to 12 GB. This will provide the connection server with ample memory for the operating system as well as the VMware Horizon Connection Server application.
Copy the file(s) to a system that has OpenSSL. If you are on a Windows machine, the easiest way to do this is to use Git for Windows (https://git-scm.com/download/win). Once installed, you can run Git Bash and will have access to OpenSSL. Linux and macOS will likely already have OpenSSL support in Terminal. If you are in a VMware environment, the ESXi hosts also have OpenSSL support.
Obtain the Certificate Password
It is highly likely the .pfx file will contain a password to protect the file. This password is required for the conversion process.
Convert PKCS12 (P12) to Privacy Enhanced Mail (PEM)
PEM files may have either a cer, crt, or pem file extension. These should be interchangeable, but some vendors are very particular about the file extension. Like anything, check the applicable documentation for recommendations.
Most vendors will require three files. Commonly I see the folllowing:
Machine certificate
Signing chain (Look at the vendor documentation for the chaining order! Some vendors require root + intermediates at the bottom and other will require the intermediates + the root at the bottom)
Private key
To get the machine certificate and signing certificates, run the following command: