You need to update trusted certificates before they expire to ensure continued client access to the Horizon FLEX server.
From | To |
---|---|
self-signed certificate | self-signed certificate |
self-signed certificate | root CA signed certificate |
root CA signed certificate | root CA signed certificate |
Before a certificate expires, you can add the new certificate as a second certificate to the trusted certificates list in the Horizon FLEX Policy Server.
Adding the new certificate to the trusted certificates list enables all Horizon FLEX virtual machines to download the new certificate. Then, when the certificate switch occurs, all of the Horizon FLEX virtual machines that received the new list of certificates can connect to the Horizon FLEX server and you can remove the old trusted certificate from the certificate list.
To import, export or delete certificates in the Horizon FLEX Admin Console, click the General Systems Settings icon and select Certificates.
- Update certificates before the existing ones expire.
- The certificate imported onto the Horizon FLEX server should be the root certificate, not a leaf certificate. However, if importing self-signed certificates, then you should import the self-signed certificate directly.
- Add the new certificate from the Horizon FLEX Admin Console. Make sure that the trusted certificate list, including the old certificates and the new certificates, can be synchronized to the clients. See Configure the System Certificate Store for the Horizon FLEX Server.
Both the old and new certificates are now available in the virtual machine policy. If the Horizon FLEX server deploys both certificates, the client should continue to maintain access to the server.
- After the new certificate is added to the virtual machine policy, change the server from IIS Manager to bind the new certificate to the Mirage Management Web Site. For more information, see Configure the IIS SSL Server Certificate for the Horizon FLEX Server.
After the new certificate binds to the Mirage Management Web site, the client can continue accessing the server .