You can determine whether client connections are rejected if any or some server certificate checks fail by configuring a setting in Horizon Client.

Certificate checking occurs for SSL connections between the server and Horizon Client. Certificate verification includes the following checks:

  • Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?

  • Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?

  • Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.

  • Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA.

    To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.


For information about distributing a self-signed root certificate that users can install on their Chrome OS devices, as well as instructions for installing a certificate on a Chrome OS device, see the documentation on the Google Web site.

To set the certificate checking mode, start Horizon Client and tap the Settings (gear) icon in the upper-right corner of the Horizon Client window, tap Security options, and tap Security mode. You have three choices:

  • Never connect to untrusted servers. If any of the certificate checks fails, the client cannot connect to the server. An error message lists the checks that failed.

  • Warn before connecting to untrusted servers. If a certificate check fails because the server uses a self-signed certificate, you can click Continue to ignore the warning. For self-signed certificates, the certificate name is not required to match the server name you entered in Horizon Client.

  • Do not verify server identity certificates. This setting means that no certificate checking occurs.

If the certificate checking mode is set to Warn, you can still connect to a server that uses a self-signed certificate.

If an administrator later installs a security certificate from a trusted certificate authority, so that all certificate checks pass when you connect, this trusted connection is remembered for that specific server. In the future, if that server ever presents a self-signed certificate again, the connection fails. After a particular server presents a fully verifiable certificate, it must always do so.