It has been come down from on high that all self signed certificates must go away. I will need to replace the horizon agent certificates with those generated by our CA server. What are the requirements that must be met to the horizon agents requirements? I would love an all in one cert, but a separate blast cert is fine. Also, would a single Blast certificate do the trick, or should I generate a new cert for each desktop or can I stick one on a golden image? I have a pool for instant clones and a pool of static machines.
 

The CA team has asked for a list of requirements to create a template. What is needed, Server Authentication, Client, Authentication, Key Encipherment, etc?

Hi, not sure if you've seen this, maybe this will help - https://docs.omnissa.com/bundle/Horizon8InstallUpgrade/page/UnderstandingTLSCertificatesforHorizon8Servers.html

Hello,

Yes, you can use a single certificate for Blast. You can use a Wild Card Certificate and in View Agent Master Image.

navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\VMware Inc.\VMware Blast\Config registry key.

Modify the "SslHash" value and paste the Wild Card certificate thumbprint into it.

Give Preference to DNS Names When Horizon Connection Server Returns IP Address Information. 

Give Preference to DNS Names When Horizon Connection Server Returns Address Information

For template requirements refer to: Generating a certificate template and generating/renewing certificate for Horizon connection server (80314) (omnissa.com)
NOTE: The Cryptographic provider must be "Microsoft RSA SChannel Cryptographic Provider". "Microsoft Software Key Storage Provider" certificate, cannot be used.

If you want to check any more details for the Blast certificate , you can run the following command in the master image. 

Set-Location Cert:\LocalMachine\My\
Get-ChildItem -Recurse | Where-Object Subject -EQ 'CN=Blast' | select -Property *