If a Horizon 7 server certificate is signed by a CA that is not trusted by client computers and client computers that access Horizon Administrator, you can configure all Windows client systems in a domain to trust the root and intermediate certificates. To do so, you must add the public key for the root certificate to the Trusted Root Certification Authorities group policy in Active Directory and add the root certificate to the Enterprise NTAuth store.

For example, you might have to take these steps if your organization uses an internal certificate service.

You do not have to take these steps if the Windows domain controller acts as the root CA, or if your certificates are signed by a well known CA. For well known CAs, the operating system venders preinstall the root certificate on client systems.

If your server certificates are signed by a little-known intermediate CA, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

For client devices that use other operating systems than Windows, see the following instructions for distributing root and intermediate certificates that users can install:

Prerequisites

Verify that the server certificate was generated with a KeyLength value of 1024 or larger. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server.

Procedure

  1. On your Active Directory server, use the certutil command to publish the certificate to the Enterprise NTAuth store.
    For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
  2. On the Active Directory server, navigate to the Group Policy Management plug-in.
    AD Version Navigation Path
    Windows 2003
    1. Select Start > All Programs > Administrative Tools > Active Directory Users and Computers.
    2. Right-click your domain and click Properties.
    3. On the Group Policy tab, click Open to open the Group Policy Management plug-in.
    4. Right-click Default Domain Policy, and click Edit.
    Windows 2008
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2012R2
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
    Windows 2016
    1. Select Start > Administrative Tools > Group Policy Management.
    2. Expand your domain, right-click Default Domain Policy, and click Edit.
  3. Expand the Computer Configuration section and go to Windows Settings > Security Settings > Public Key Policies.
  4. Import the certificate.
    Option Description
    Root certificate
    1. Right-click Trusted Root Certification Authorities and select Import.
    2. Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
    Intermediate certificate
    1. Right-click Intermediate Certification Authorities and select Import.
    2. Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK.
  5. Close the Group Policy window.

Results

All systems in the domain now have certificate information in their trusted root certificate stores and intermediate certificate stores that allows them to trust the root and intermediate certificates.