Configure a PSG Certificate in the Windows Certificate Store

To replace the default PSG certificate with a CA-signed certificate, you must configure the certificate and its private key in the Windows local computer certificate store on the Connection Server computer on which the PSG is running.

If you intend the PSG to use a unique certificate, you must import the certificate into the Windows local computer certificate store with an exportable private key and set the appropriate Friendly name.

If you intend the PSG to use the same certificate as the server, you do not have to follow this procedure. However, in the Windows registry you must set the server name to match the server certificate subject name and set the Friendly name to vdm.

Prerequisites

Verify that the key length is at least 1024 bits.
Verify that the TLS certificate is valid. The current time on the server computer must be within the certificate start and end dates.
Verify that the certificate subject name or a subject alternate name matches the SSLCertPsgSni setting in the Windows registry. See Verify That the Server Name Matches the PSG Certificate Subject Name.
Verify that the Certificate snap-in was added to MMC. See Add the Certificate Snap-In to MMC.
Familiarize yourself with importing a certificate into the Windows certificate store. See Import a Signed Server Certificate into a Windows Certificate Store.
Familiarize yourself with modifying the certificate Friendly name. See Modify the Certificate Friendly Name.

Procedure

In the MMC window on the Windows Server host, open the Certificates (Local Computer) > Personal folder.
Import the TLS certificate that is issued to the PSG by selecting More Actions > All Tasks > Import.
Select the following settings in the Certificate Import wizard:
1. Mark this key as exportable
2. Include all extendable properties
Complete the wizard to finish importing the certificate into the Personal folder
Verify that the new certificate contains a private key by taking one of these steps:
- Verify that a yellow key appears on the certificate icon.
- Double-click the certificate and verify that the following statement appears in the Certificate Information dialog box: You have a private key that corresponds to this certificate..
Right-click the new certificate and click Properties.
On the General tab, delete the Friendly name text and type the Friendly name that you have chosen.
Make sure that you enter exactly the same name in the SSLCertWinCertFriendlyName setting in the Windows registry, as described in the next procedure.
Click Apply and click OK.

Results

The PSG presents the CA-signed certificate to client devices that connect to the server over PCoIP.

Note: This procedure does not affect legacy client devices. The PSG continues to present the default legacy certificate to legacy client devices that connect the this server over PCoIP.

What to do next

Configure the certificate Friendly name in the Windows registry.