You must follow certain guidelines for configuring SSL certificates for View servers and related components.

View Connection Server and Security Server

SSL is required for client connections to a server. Client-facing View Connection Server instances, security servers, and intermediate servers that terminate SSL connections require SSL server certificates.

By default, when you install View Connection Server or security server, the installation generates a self-signed certificate for the server. However, the installation uses an existing certificate in the following cases:

  • If a valid certificate with a Friendly name of vdm already exists in the Windows Certificate Store

  • If you upgrade to View 5.1 or later from an earlier release, and a valid keystore file is configured on the Windows Server computer. The installation extracts the keys and certificates and imports them into the Windows Certificate Store.

vCenter Server and View Composer

Before you add vCenter Server and View Composer to View in a production environment, make sure that vCenter Server and View Composer use certificates that are signed by a CA.

For information about replacing the default certificate for vCenter Server, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.

If you install vCenter Server and View Composer on the same Windows Server host, they can use the same SSL certificate, but you must configure the certificate separately for each component.

PCoIP Secure Gateway

To comply with industry or jurisdiction security regulations, you can replace the default SSL certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA. Configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing. See Configure the PCoIP Secure Gateway to Use a New SSL Certificate.

Blast Secure Gateway

By default, the Blast Secure Gateway (BSG) uses the SSL certificate that is configured for the View Connection Server instance or security server on which the BSG is running. If you replace the default, self-signed certificate for a server with a CA-signed certificate, the BSG also uses the CA-signed certificate.

SAML 2.0 Authenticator

VMware Horizon Suite uses SAML 2.0 authenticators to provide Web-based authentication and authorization across security domains. If you want View to delegate authentication to the Horizon Suite, you can configure View to accept SAML 2.0 authenticated sessions from Horizon Suite. When Workspace is configured to support View, Workspace users can connect to remote desktops by selecting desktop icons on the Horizon User Portal.

In View Administrator, you can configure SAML 2.0 authenticators for use with View Connection Server instances.

Before you add a SAML 2.0 authenticator in View Administrator, make sure that the SAML 2.0 authenticator uses a certificate that is signed by a CA.

Additional Guidelines

For general information about requesting and using SSL certificates that are signed by a CA, see Benefits of Using SSL Certificates Signed by a CA.

When client endpoints connect to a View Connection Server instance or security server, they are presented with the server's SSL server certificate and any intermediate certificates in the trust chain. To trust the server certificate, the client systems must have installed the root certificate of the signing CA.

When View Connection Server communicates with vCenter Server and View Composer, View Connection Server is presented with SSL server certificates and intermediate certificates from these servers. To trust the vCenter Server and View Composer servers, the View Connection Server computer must have installed the root certificate of the signing CA.

Similarly, if a SAML 2.0 authenticator is configured for View Connection Server, the View Connection Server computer must have installed the root certificate of the signing CA for the SAML 2.0 server certificate.