Configure Client Endpoints to Trust Root and Intermediate Certificates

If a VMware Horizon server certificate is signed by a CA that is not trusted by client computers and client computers that access Horizon Console, you can configure all Windows client systems in a domain to trust the root and intermediate certificates. To do so, you must add the public key for the root certificate to the Trusted Root Certification Authorities group policy in Active Directory and add the root certificate to the Enterprise NTAuth store.

For example, you might have to take these steps if your organization uses an internal certificate service.

You do not have to take these steps if the Windows domain controller acts as the root CA, or if your certificates are signed by a well known CA. For well known CAs, the operating system venders preinstall the root certificate on client systems.

If your server certificates are signed by a little-known intermediate CA, you must add the intermediate certificate to the Intermediate Certification Authorities group policy in Active Directory.

For client devices that use other operating systems than Windows, see the following instructions for distributing root and intermediate certificates that users can install:

For Horizon Client for Mac, see Configure Horizon Client for Mac to Trust Root and Intermediate Certificates.
For Horizon Client for iOS, see Configure Horizon Client for iOS to Trust Root and Intermediate Certificates.
For Horizon Client for Android, see documentation on the Google Web site, such as the Android User's Guide
For Horizon Client for Linux, see the Ubuntu documentation

Prerequisites

Verify that the server certificate was generated with a KeyLength value of 1024 or larger. Client endpoints will not validate a certificate on a server that was generated with a KeyLength under 1024, and the clients will fail to connect to the server.

Procedure

On your Active Directory server, use the certutil command to publish the certificate to the Enterprise NTAuth store.
For example: certutil -dspublish -f path_to_root_CA_cert NTAuthCA
On the Active Directory server, navigate to the Group Policy Management plug-in and complete the following steps:
1. Select Start > Administrative Tools > Group Policy Management.
2. Expand your domain, right-click Default Domain Policy, and click Edit.
Expand the Computer Configuration section and go to Windows Settings > Security Settings > Public Key Policies.

Import the certificate.

Option	Description
Root certificate	Right-click Trusted Root Certification Authorities and select Import. Follow the prompts in the wizard to import the root certificate (for example, rootCA.cer) and click OK.
Intermediate certificate	Right-click Intermediate Certification Authorities and select Import. Follow the prompts in the wizard to import the intermediate certificate (for example, intermediateCA.cer) and click OK.

Close the Group Policy window.

Results

All systems in the domain now have certificate information in their trusted root certificate stores and intermediate certificate stores that allows them to trust the root and intermediate certificates.