You need to update trusted certificates before they expire to ensure continued client access to the Horizon FLEX server.

Note:

Starting with Horizon FLEX 1.10, you cannot change a Horizon FLEX server root CA signed certificate to a self-signed certificate. The Horizon FLEX Client detects that the certificate on the server changed from a root CA signed certificate to a self-signed certificate. The client then terminates the connection attempt to the server.

Horizon FLEX supports a server certificate change of the following types.

From

To

self-signed certificate

self-signed certificate

self-signed certificate

root CA signed certificate

root CA signed certificate

root CA signed certificate

Before a certificate expires, you can add the new certificate as a second certificate to the trusted certificates list in the Horizon FLEX Policy Server.

Adding the new certificate to the trusted certificates list enables all Horizon FLEX virtual machines to download the new certificate. Then, when the certificate switch occurs, all of the Horizon FLEX virtual machines that received the new list of certificates can connect to the Horizon FLEX server and you can remove the old trusted certificate from the certificate list.

To import, export or delete certificates in the Horizon FLEX Admin Console, click the General Systems Settings icon and select Certificates.

Caution:

When updating certificates, verify that the updated certificates are valid before propagating them to the virtual machine instances using a policy update. If you install an invalid certificate on the Horizon FLEX Admin Console, virtual machines with embedded certificates inherit the invalid certificate. As a result, these virtual machines will be unable to connect to the Horizon FLEX server.

When updating certificates, you should follow these guidelines:

  • Update certificates before the existing ones expire.

  • The certificate imported onto the Horizon FLEX server should be the root certificate, not a leaf certificate. However, if importing self-signed certificates, then you should import the self-signed certificate directly.

  • Add the new certificate from the Horizon FLEX Admin Console. Make sure that the trusted certificate list, including the old certificates and the new certificates, can be synchronized to the clients. See Configure the System Certificate Store for the Horizon FLEX Server.

    Both the old and new certificates are now available in the virtual machine policy. If the Horizon FLEX server deploys both certificates, the client should continue to maintain access to the server.

  • After the new certificate is added to the virtual machine policy, change the server from IIS Manager to bind the new certificate to the Mirage Management Web Site. For more information, see Configure the IIS SSL Server Certificate for the Horizon FLEX Server.

    After the new certificate binds to the Mirage Management Web site, the client can continue accessing the server .