Server certificate checking occurs for connections between Horizon Client and a server. A certificate is a digital form of identification, similar to a passport or a driver's license.

End users can configure a setting in Horizon Client to determine whether Horizon Client connections are rejected if server certificate checking fails.

You can configure the default certificate checking mode and prevent end users from changing it in Horizon Client. For more information, see Configuring the Certificate Checking Mode for End Users.

Server certificate checking includes the following checks:

  • Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?

  • Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?

  • Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.

  • Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA.

    To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.

Note:

For information about distributing a self-signed root certificate that users can install on their Linux client systems, see the Ubuntu documentation.

Horizon Client uses the PEM-formatted certificates stored in the /etc/ssl/certs directory on the client system. For information about importing a root certificate stored in this location, see "Importing a Certificate into the System-Wide Certificate Authority Database" in the document at https://help.ubuntu.com/community/OpenSSL.

In addition to presenting a server certificate, the server also sends a certificate thumbprint to Horizon Client. The thumbprint is a hash of the certificate public key and is used as an abbreviation of the public key. If the server does not send a thumbprint, you see a warning that the connection is untrusted.

If a Horizon administrator has allowed it, you can set the certificate checking mode. To set the certificate checking mode, start Horizon Client and select File > Preferences from the menu bar. You have three choices:

  • Never connect to untrusted servers. This setting means that you cannot connect to the server if any of the certificate checks fail. An error message lists the checks that failed.

  • Warn before connecting to untrusted servers. This setting means that you can click Continue to ignore the warning if a certificate check fails because the server uses a self-signed certificate. For self-signed certificates, the certificate name is not required to match the server name that you entered in Horizon Client.

  • Do not verify server identity certificates. This setting means that no certificate checking occurs.