When you add vCenter Server instances to VMware Horizon, you must ensure that the TLS certificates that are used for vCenter Server are valid and trusted by Connection Server. If the default certificates that are installed with vCenter Server are still in place, you must determine whether to accept these certificates' thumbprints.
If a vCenter Server is configured with a certificate that is signed by a CA, and the root certificate is trusted by Connection Server, you do not have to accept the certificate thumbprint. No action is required.
If you replace a default certificate with a certificate that is signed by a CA, but Connection Server does not trust the root certificate, you must determine whether to accept the certificate thumbprint. A thumbprint is a cryptographic hash of a certificate. The thumbprint is used to quickly determine if a presented certificate is the same as another certificate, such as the certificate that was accepted previously.
For details about configuring TLS certificates, see "Configuring TLS Certificates for VMware Horizon Servers" in the Horizon 7 Installation document.
You first add vCenter Server in Horizon Console by using the Add vCenter Server wizard. If a certificate is untrusted and you do not accept the thumbprint, you cannot add vCenter Server.
After these servers are added, you can reconfigure them in the Edit vCenter Server dialog box.
On the Horizon Console dashboard, the vCenter Server icon turns red and an Invalid Certificate Detected dialog box appears. In Horizon Console, click and select the vCenter Server. Then, click Edit in the vCenter Server settings and follow the prompts to verify the and accept the self-signed certificate.
Similarly, in Horizon Console you can configure a SAML authenticator for use by a Connection Server instance. If the SAML server certificate is not trusted by Connection Server, you must determine whether to accept the certificate thumbprint. If you do not accept the thumbprint, you cannot configure the SAML authenticator in VMware Horizon. After a SAML authenticator is configured, you can reconfigure it in the Edit Connection Server dialog box.