You can use various types of TLS/SSL certificates with Access Point. Selecting the correct certificate type for your deployment is crucial. Different certificate types vary in cost, depending on the number of servers on which they can be used.
Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your certificates, no matter which type you select. Do not use a simple server name or IP address, even for communications within your internal domain.
Single Server Name Certificate
You can generate a certificate with a subject name for a specific server. For example: dept.example.com.
This type of certificate is useful if, for example, only one Access Point appliance needs a certificate.
When you submit a certificate signing request to a CA, you provide the server name that will be associated with the certificate. Be sure that the Access Point appliance can resolve the server name you provide so that it matches the name associated with the certificate.
Subject Alternative Names
A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued. You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one server.
For example, three certificates might be issued for the Access Point appliances that are behind a load balancer: ap1.example.com, ap2.example.com, and ap3.example.com. By adding a Subject Alternative Name that represents the load balancer host name, such as horizon.example.com in this example, the certificate will be valid because it will match the host name specified by the client.
A wildcard certificate is generated so that it can be used for multiple services. For example: *.example.com.
A wildcard is useful if many servers need a certificate. If other applications in your environment in addition to Access Point appliances need TLS/SSL certificates, you can use a wildcard certificate for those servers, too. However, if you use a wildcard certificate that is shared with other services, the security of the VMware Horizon product also depends on the security of those other services.
You can use a wildcard certificate only on a single level of domain. For example, a wildcard certificate with the subject name *.example.com can be used for the subdomain dept.example.com but not dept.it.example.com.
Certificates that you import into the Access Point appliance must be trusted by client machines and must also be applicable to all instances of Access Point and any load balancer, either by using wildcards or by using Subject Alternative Name (SAN) certificates.