To comply with industry or security regulations, you can replace the default TLS certificates that the HTML Access Agent generates with certificates that a Certificate Authority (CA) signs.

When you install the HTML Access Agent on remote desktops, the HTML Access Agent service creates default self-signed certificates. The service presents the default certificates to browsers that use Horizon Client for Chrome.

Note:

In the guest operating system on the desktop virtual machine, this service is called the VMware Blast service.

To replace the default certificates with signed certificates that you obtain from a CA, you must import a certificate into the Windows local computer certificate store on each remote desktop. You must also set a registry value that allows the HTML Access Agent to use the new certificate.

If you replace the default HTML Access Agent certificates with CA-signed certificates, configure a unique certificate on each remote desktop. Do not configure a CA-signed certificate on a parent virtual machine or template that you use to create a desktop pool. That approach results in hundreds or thousands of remote desktops that have identical certificates.