Server certificate checking occurs for connections between Horizon Client and a server. A certificate is a digital form of identification, similar to a passport or a driver's license.

End users can configure a setting in Horizon Client to determine whether Horizon Client connections are rejected if server certificate checking fails.

Server certificate checking includes the following checks:

  • Has the certificate been revoked?

  • Is the certificate intended for a purpose other than verifying the identity of the sender and encrypting server communications? That is, is it the correct type of certificate?

  • Has the certificate expired, or is it valid only in the future? That is, is the certificate valid according to the computer clock?

  • Does the common name on the certificate match the host name of the server that sends it? A mismatch can occur if a load balancer redirects Horizon Client to a server that has a certificate that does not match the host name entered in Horizon Client. Another reason a mismatch can occur is if you enter an IP address rather than a host name in the client.

  • Is the certificate signed by an unknown or untrusted certificate authority (CA)? Self-signed certificates are one type of untrusted CA.

    To pass this check, the certificate's chain of trust must be rooted in the device's local certificate store.

To set the certificate checking mode, start Horizon Client, tap the Option menu in the upper-left corner of the menu bar, and expand the Certificate Checking Mode section. You have the following choices:

  • Never connect to untrusted servers. This setting means that you cannot connect to the server if any of the certificate checks fail. An error message lists the checks that failed.

  • Attempt to connect regardless of server identity certificates. This setting means that no certificate checking occurs.

Because the certificate mechanism used by Windows 10 apps is more limited than the certificate mechanism used by Windows desktop applications, the certificate check can fail even if the level is set to Attempt to connect regardless of server identity certificates. For example, the certificate check can fail for the following reasons:

  • The certificate signed by the root CA has been revoked.

  • The certificate signed by the intermediate CA has been revoked.

  • The certificate is valid, but the intermediate CA has been revoked.

  • The certificate in the chain contains an unknown extension that is marked "critical".