To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the Connection Server or security server computer on which the PSG is running.

If you intend the PSG to use a unique certificate, you must import the certificate into the Windows local computer certificate store with an exportable private key and set the appropriate Friendly name.

If you intend the PSG to use the same certificate as the server, you do not have to follow this procedure. However, in the Windows registry you must set the server name to match the server certificate subject name and set the Friendly name to vdm.



  1. In the MMC window on the Windows Server host, open the Certificates (Local Computer) > Personal folder.
  2. Import the TLS certificate that is issued to the PSG by selecting More Actions > All Tasks > Import.
    Select the following settings in the Certificate Import wizard:
    1. Mark this key as exportable
    2. Include all extendable properties

    Complete the wizard to finish importing the certificate into the Personal folder

  3. Verify that the new certificate contains a private key by taking one of these steps:
    • Verify that a yellow key appears on the certificate icon.
    • Double-click the certificate and verify that the following statement appears in the Certificate Information dialog box: You have a private key that corresponds to this certificate..
  4. Right-click the new certificate and click Properties.
  5. On the General tab, delete the Friendly name text and type the Friendly name that you have chosen.
    Make sure that you enter exactly the same name in the SSLCertWinCertFriendlyName setting in the Windows registry, as described in the next procedure.
  6. Click Apply and click OK.


The PSG presents the CA-signed certificate to client devices that connect to the server over PCoIP.
Note: This procedure does not affect legacy client devices. The PSG continues to present the default legacy certificate to legacy client devices that connect the this server over PCoIP.

What to do next

Configure the certificate Friendly name in the Windows registry.