You can ensure that all client connections to the PSG use the CA-signed certificate for the PSG instead of the default legacy certificate. This procedure is not required to configure a CA-signed certificate for the PSG. Take these steps only if it makes sense to force the use of a CA-signed certificate in your Horizon 7 deployment.

In some cases, the PSG might present the default legacy certificate instead of the CA-signed certificate to a security scanner, invalidating the compliance test on the PSG port. To resolve this issue, you can configure the PSG not to present the default legacy certificate to any device that attempts to connect.

Important: Performing this procedure prevents all legacy clients from connecting to this server over PCoIP.


Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client 2.0 or later releases. You must upgrade the legacy clients.


  1. Start the Windows Registry Editor on the Connection Server or security server computer where the PCoIP Secure Gateway is running.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
  3. Add a new String (REG_SZ) value, SSLCertPresentLegacyCertificate, to this registry key.
  4. Set the SSLCertPresentLegacyCertificate value to 0.
  5. Restart the VMware Horizon View PCoIP Secure Gateway service to make your changes take effect.