Each Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate. You can, however, change this default.
If a SAML 2.0 authenticator is configured for use by a Connection Server instance, Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate.
Horizon 7 supports various means of certificate revocation checking, such as certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate.
With CRLs, the list of revoked certificates is downloaded from a certificate distribution point (DP) that is often specified in the certificate. The server periodically goes to the CRL DP URL specified in the certificate, downloads the list, and checks it to determine whether the server certificate has been revoked. With OCSP, the server sends a request to an OCSP responder to determine the revocation status of the certificate.
When you obtain a server certificate from a third-party certificate authority (CA), the certificate includes one or more means by which its revocation status can be determined, including, for example, a CRL DP URL or the URL for an OCSP responder. If you have your own CA and generate a certificate but do not include revocation information in the certificate, the certificate revocation check fails. An example of revocation information for such a certificate could include, for example, a URL to a Web-based CRL DP on a server where you host a CRL.
If you have your own CA but do not or cannot include certificate revocation information in your certificate, you can choose not to check certificates for revocation or to check only certain certificates in a chain. On the server, with the Windows Registry Editor, you can create the string (REG_SZ) value CertificateRevocationCheckType, under HKLM\Software\VMware, Inc.\VMware VDM\Security, and set this value to one of the following data values.
Value | Description |
---|---|
1 | Do not perform certificate revocation checking. |
2 | Check only the server certificate. Do not check any other certificates in the chain. |
3 | Check all certificates in the chain. |
4 | (Default) Check all certificates except the root certificate. |
If this registry value is not set, or if the value set is not valid (that is, if the value is not 1, 2, 3, or 4), all certificates are checked except the root certificate. Set this registry value on each server on which you intend to modify revocation checking. You do not have to restart the system after you set this value.