You can use various types of TLS/SSL certificates with Unified Access Gateway. Selecting the correct certificate type for your deployment is crucial. Different certificate types vary in cost, depending on the number of servers on which they can be used.

Follow VMware security recommendations by using fully qualified domain names (FQDNs) for your certificates, no matter which type you select. Do not use a simple server name or IP address, even for communications within your internal domain.

Single-Server Name Certificate

You can generate a certificate with a subject name for a specific server. For example: dept.example.com.

This type of certificate is useful if, for example, only one Unified Access Gateway appliance needs a certificate.

When you submit a certificate signing request to a CA, provide the server name to associate with the certificate. Be sure that the Unified Access Gateway appliance can resolve the server name you provide so that it matches the name associated with the certificate.

Subject Alternative Names

A Subject Alternative Name (SAN) is an attribute that can be added to a certificate when it is being issued. You use this attribute to add subject names (URLs) to a certificate so that it can validate more than one server.

For example, three certificates might be issued for the Unified Access Gateway appliances that are behind a load balancer: ap1.example.com, ap2.example.com, and ap3.example.com. By adding a Subject Alternative Name that represents the load balancer host name, such as horizon.example.com in this example, the certificate is valid because it matches the host name specified by the client.

When you submit a certificate signing request to a CA, provide the external interface load balancer virtual IP address (VIP) as the common name and the SAN name. Be sure that the Unified Access Gateway appliance can resolve the server name you provide so that it matches the name associated with the certificate.

The certificate is used on port 443.

Wildcard Certificate

A wildcard certificate is generated so that it can be used for multiple services. For example: *.example.com.

A wildcard is useful if many servers need a certificate. If other applications in your environment in addition to Unified Access Gateway appliances need TLS/SSL certificates, you can use a wildcard certificate for those servers, too. However, if you use a wildcard certificate that is shared with other services, the security of the VMware Horizon product also depends on the security of those other services.

Note:

You can use a wildcard certificate only on a single level of domain. For example, a wildcard certificate with the subject name *.example.com can be used for the subdomain dept.example.com but not dept.it.example.com.

Certificates that you import into the Unified Access Gateway appliance must be trusted by client machines and must also be applicable to all instances of Unified Access Gateway and any load balancer, either by using wildcards or by using Subject Alternative Name (SAN) certificates.