VMware strongly recommends that you configure TLS certificates that are signed by a valid Certificate Authority (CA) for use by Horizon Connection Server instances, security servers, and View Composer instances.

Default TLS certificates are generated when you install Connection Server, security server, or View Composer instances. Although you can use the default, self-signed certificates for testing purposes, replace them as soon as possible. The default certificates are not signed by a CA. Use of certificates that are not signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.

In a Horizon 7 environment, you should also replace the default certificate that is installed with vCenter Server with a certificate that is signed by a CA. You can use openTLS to perform this task for vCenter Server. For details, see "Replacing vCenter Server Certificates" on the VMware Technical Papers site at http://www.vmware.com/resources/techresources/.