Server certificate checking occurs for connections between Horizon Client and a server. A certificate is a digital form of identification, similar to a passport or a driver's license.
Server certificate checking includes the following checks:
- Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?
- Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?
- Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.
- Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA. To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.
For information about distributing a self-signed root certificate that users can install on their client devices, and instructions for installing a certificate on an Android or Chromebook device, see the documentation for the device.
To set the certificate checking mode, start Horizon Client, tap the Settings (gear) icon in the upper-right corner of the Horizon Client window, tap Security options, and tap Security mode. You can select one of the following options.
- Never connect to untrusted servers. This setting means that you cannot connect to the server if any of the certificate checks fail. An error message lists the checks that failed.
- Warn before connecting to untrusted servers. This setting means that you can click Continue to ignore the warning if a certificate check fails because the server uses a self-signed certificate. For self-signed certificates, the certificate name is not required to match the server name that you entered in Horizon Client. You can also receive a warning if the certificate has expired.
- Do not verify server identity certificates. This setting means that no certificate checking occurs.
If an administrator later installs a security certificate from a trusted certificate authority and all certificate checks pass when you connect, this trusted connection is remembered for that specific server. In the future, if that server ever presents a self-signed certificate again, the connection fails. After a particular server presents a fully verifiable certificate, it must always do so.