To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA.

In Horizon 7, the PSG service creates a default, self-signed TLS certificate when the service starts up. The PSG service presents the self-signed certificate to clients running Horizon Client 2.0 (or Horizon Client 5.2 for Windows) or later releases that connect to the PSG.

The PSG also provides a default legacy TLS certificate that is presented to clients running older clients or earlier releases that connect to the PSG.

The default certificates provide secure connections from client endpoints to the PSG and do not require further configuration in Horizon Administrator. However, configuring the PSG service to use a CA-signed certificate is highly recommended, particularly for deployments that require you to use security scanners to pass compliance testing.

Although it is not required, you are most likely to configure new CA-signed TLS certificates for your servers before you replace the default PSG certificate with a CA-signed certificate. The procedures that follow assume that you already imported a CA-signed certificate into the Windows certificate store for the server on which the PSG is running.

Note: If you are using a security scanner for compliance testing, you might want to start by setting the PSG to use the same certificate as the server and scan the View port before the PSG port. You can resolve trust or validation issues that occur during the scan of the View port to ensure that these issues do not invalidate your test of the PSG port and certificate. Next, you can configure a unique certificate for the PSG and do another scan.