I want to share a deep troubleshooting on Blast Server not working after updating SSL self-signed certificate with one provided by a Trusted CA Authority.

Issue is the following explained also in the title of this thread:

https://www.screencast.com/t/5ZLLEswk4

On the security Server the blast service will result in PAUSED state, with no chance to resume or start it.

https://www.screencast.com/t/wvyJOMa8VLKh​

Security Server Event Viewer will result in an warning+error on each start/resume

Registry key AppParameters is unset for service VMBlastSG. No flags will be passed to C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd when it starts.

https://www.screencast.com/t/vSt7Ppt3G5wT

Issue is not in V3 certificate as explained in some Knowledge base.

Issue is in the certificate with key not exportable or not correctly exportable even if apparently the full chain can be exported.

When preparing the Signin Request using IIS Enrollment feature and importing the SSL, (possibly using specific SSL Providers?) the final certificate can be exported, but it seems Horizon (and not only horizon) is not correctly compliant with this process, and export-->import of the certificate (including Private key) will not work. Deleting and reimported the full chain including the Private Key did not work correctly, and website SSL will retrieve an error ( Horizon is still not involved in the process )

Using Microsoft certreq for the Signin Request the process will work and the final certiricate can be exported correctly and the private key is retrieved correctly by Horizon 7.

It's possible it's an issue related to Just some Providers for SSL certificates. In my Case it's Sectigo RSA (ComodoSSLstore).

Don't ask me the reason, but I tried multiple times, and only Microsoft Certreq is preventing from Horizon and the system to access the private key after importing the CA provided SSL certificate.