You can ensure that all client connections to the PSG use the CA-signed certificate for the PSG instead of the default legacy certificate. This procedure is not required to configure a CA-signed certificate for the PSG. Take these steps only if it makes sense to force the use of a CA-signed certificate in your VMware Horizon deployment.
In some cases, the PSG might present the default legacy certificate instead of the CA-signed certificate to a security scanner, invalidating the compliance test on the PSG port. To resolve this issue, you can configure the PSG not to present the default legacy certificate to any device that attempts to connect.
Prerequisites
Verify that all client devices that connect to this server, including thin clients, run Horizon Client 5.2 for Windows or Horizon Client or later releases. You must upgrade the legacy clients.
Procedure
- Start the Windows Registry Editor on the Connection Server computer where the PCoIP Secure Gateway is running.
- Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Teradici\SecurityGateway registry key.
- Add a new String (REG_SZ) value, SSLCertPresentLegacyCertificate, to this registry key.
- Set the SSLCertPresentLegacyCertificate value to 0.
- Restart the VMware Horizon PCoIP Secure Gateway service to make your changes take effect.