The Connection Server instance that has the smart card connected cannot perform certificate revocation checking on the server's TLS certificate unless you have configured smart card certificate revocation checking.

Problem

Certificate revocation checking might fail if your organization uses a proxy server for Internet access, or if a Connection Server instance cannot reach the servers that provide revocation checking because of firewalls or other controls.

Important: Make sure the CRL file is up to date.

Cause

VMware Horizon supports certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA (Certificate Authority) that issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an X.509 certificate. The CA must be accessible from the Connection Server host. This issue can only occur if you configured revocation checking of smart card certificates. See Using Smart Card Certificate Revocation Checking.

Solution

  1. Create your own (manual) procedure for downloading an up-to-date CRL from the CA website you use to a path on your VMware Horizon server.
  2. Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the Connection Server host.
    For example: install_directory\VMware\VMware View\Server\SSLgateway\conf\locked.properties
  3. Add the enableRevocationChecking and crlLocation properties in the locked.properties file to the local path to where the CRL is stored.
  4. Restart the Connection Server service to make your changes take effect.