If you use a certificate from an internal CA instead of from a commercial CA such as Entrust or Go Daddy, and you do not configure the certificate into the source virtual machine being prepared, you should import the root CA certificate on each end-user host for Horizon FLEX virtual machines to function correctly.
Because the server certificate is signed by the root CA, you do not need to import the server certificate to end-user hosts.
If the list of certificates is empty in the policy file, Workstation Player and Fusion Pro will fall back to authenticating against the host's list of trusted certificates.
If you include the internal CA certificate of a source virtual machine on the Horizon FLEX Policy Server, and you configure or install the certificate for the Horizon FLEX Client (either in the source virtual machine's policy file or in the host's list of trusted certificates), you do not need to install the root CA certificate on end-user hosts when certificate updates are required, for example, when a certificate expires.
For information about configuring certificates into a source virtual machine, see Create a Source Virtual Machine in Fusion Pro or Create a Source Virtual Machine in Workstation Pro (Not included in Horizon FLEX).
For information about creating a trusted certificates list and importing it to the Horizon FLEX Policy Server, see Creating a Trusted Certificates List in a Source Virtual Machine.
For information about updating certificates, see Updating Trusted Certificates on the Horizon FLEX Server.